The ransomware group BlackCat/ALPHV has incorporated a new instrument called ‘Munchkin.’ This tool deploys encryption methods discreetly through virtual machines on network devices.
Munchkin equips BlackCat with the ability to function on distant systems and encode remote Server Message Block (SMB) or Common Internet File (CIFS) network shares. This addition enhances BlackCat’s offerings, making its Ransomware-as-a-Service (RaaS) more appealing to potential cybercriminal affiliates.
Palo Alto Networks’ Unit 42 reveals that Munchkin, a tailored Alpine OS Linux distribution, is delivered as an ISO file. After breaching a device, attackers set up VirtualBox, followed by a virtual machine via the Munchkin ISO. This virtual environment encompasses a range of scripts and utilities. These tools let attackers access passwords, disseminate through the network, generate a BlackCat ‘Sphynx’ encryption payload, and initiate software on network PCs.
The virtual machine also employs the ‘tmux’ utility to launch a Rust-based malware binary termed ‘controller.’ This ‘controller’ accesses an integrated configuration file containing victim details, credentials, and other sensitive information. This data assists in crafting specialized BlackCat encryptor programs, subsequently utilized for file encryption.
Notably, Unit 42 identified a message within the malware from BlackCat to their collaborators, cautioning about potential data exposure risks.
Given that malware samples frequently leak on analysis platforms, it’s essential for affiliates to ensure that Tor negotiation site access tokens remain confidential. This confidentiality prevents unauthorized access to communications between ransomware teams and their targets. Thus, BlackCat emphasizes the removal of the Munchkin virtual tools and ISOs.
The Munchkin tool offers several advantages. Its virtual nature provides a shield from the primary operating system, hindering detection by security systems. Additionally, its use of Alpine OS ensures minimal system impact, while its automated nature reduces manual operations. Its modularity, with adaptable Python scripts and payloads, facilitates easy customization.
Originating in late 2021, BlackCat, rooted in Rust, succeeded BlackMatter and Darkside. Since its inception, the group has constantly evolved, introducing features like flexible encryption, data leak API, and support for customized credentials. In 2023, organizations such as MGM Resorts, Seiko, and Western Digital have fallen prey to BlackCat’s tactics.