BlackCat Ransomware Variant Incorporates Impacket, RemComVersion Uses Open-Source Communication Framework Tool for Lateral Movement
Microsoft identified a new variant of BlackCat ransomware malware that uses an open-source communication framework tool to facilitate lateral movement in target environments.
The Redmond giant on Thursday revealed that the updated cryptoware incorporates the Impacket networking framework and the RemCom hacking tool. Security researchers at the computing giant started observing the new version being used by a BlackCat affiliate in July.
BlackCat, also known as Alphv, is a Russian-speaking criminal group suspected of being a successor to DarkSide and BlackMatter, with ties to former REvil members. The group earlier this year posted online stolen diagnostic images of breast cancer patients disrobed from the waist up (see: BlackCat Leaking Patient Data and Photos Stolen in Attack).
Impacket is an open-source collection of modules designed for network penetration testing, security assessments and related research purposes. Microsoft said BlackCat is using Impacket's credential dumping and remote service execution modules to deploy malware ransomware in target environments.
The RemCom tool allows for remote code execution. It is embedded in the ransomware usernames and passwords already set up and allows them to spread the ransomware to other computers in the network and lock up more files for ransom.
VX-underground reported in April that an updated version of the BlackCat ransomware called Sphynx had brought improvements in encryption speed and stealthiness.
The U.S. Cybersecurity and Infrastructure Security Agency in an advisory published in 2022 warned of Impacket being used to steal sensitive information from a defense industrial base organization.