In a thread posted on Twitter, the company said the new version comes with two new additions that help ransomware operators move laterally across compromised networks.
The two additions include the open-source communication framework tool Impacket, and the Remcom hacking tool.
Impacket and Remcom
Impacket has been described as an open-source collection of Python classes for working with network protocols, more commonly used as a post-exploitation toolkit by pentesters, red teamers, and cybercriminals, as it allows them to move laterally throughout the network, dump credentials from processes, perform NTLM relay attacks, and more.
With BlackCat, Impacket is being used to dump credentials and execute the encryptor code remotely.
The Remcom hacktool is also used for remote code execution and lateral movement, both facilitating encryptor deployment.
Microsoft doesn’t seem to be the first one to have stumbled upon this updated version of BlackCat. BleepingComputer says that VX-Underground reported on it in April this year. Citing a message BlackCat operators sent to its affiliates, the publication says the new version is called Sphynx:
"The code, including encryption, has been completely rewritten from scratch. By default all files are frozen. The main priority of this update was to optimize detection by AV/EDR," the crooks said in their announcement.
BleepingComputer also saw a private Microsoft 365 Defender Threat Analytics advisory in which Microsoft said Storm-0875 started using Sphynx in July this year.
BlackCat is also known as ALPHV and was first launched in November 2021. It is widely considered as one of the most popular and most disruptive ransomware variants out there.
In more recent news, BlackCat was responsible for an attack against Reddit, one of the biggest online forums.
- Get a security boost and consider the best endpoint protection software
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.