Microsoft Threat Intelligence, the company’s cybersecurity arm, recently announced the discovery of a new strain of the infamous BlackCat ransomware variant.
In a thread posted on Twitter, the company said the new version comes with two new additions that help ransomware operators move laterally across compromised networks.
The two additions include the open-source communication framework tool Impacket, and the Remcom hacking tool.
Impacket has been described as an open-source collection of Python classes for working with network protocols, more commonly used as a post-exploitation toolkit by pentesters, red teamers, and cybercriminals, as it allows them to move laterally throughout the network, dump credentials from processes, perform NTLM relay attacks, and more.
With BlackCat, Impacket is being used to dump credentials and execute the encryptor code remotely.
The Remcom hacktool is also used for remote code execution and lateral movement, both facilitating encryptor deployment.
Microsoft doesn’t seem to be the first one to have stumbled upon this updated version of BlackCat. BleepingComputer says that VX-Underground reported on it in April this year. Citing a message BlackCat operators sent to its affiliates, the publication says the new version is called Sphynx:
“The code, including encryption, has been completely rewritten from scratch. By default all files are frozen. The main priority of this update was to optimize detection by AV/EDR,” the crooks said in their announcement.
BleepingComputer also saw a private Microsoft 365 Defender Threat Analytics advisory in which Microsoft said Storm-0875 started using Sphynx in July this year.
BlackCat is also known as ALPHV and was first launched in November 2021. It is widely considered as one of the most popular and most disruptive ransomware variants out there.
In more recent news, BlackCat was responsible for an attack against Reddit, one of the biggest online forums.