Home Cyber Security Tales from the SOC: BlackCat on the prowl

Tales from the SOC: BlackCat on the prowl

Tales from the SOC: BlackCat on the prowl


This weblog was co-authored with Josue Gomez and Ofer Caspi.

Govt abstract

BlackCat is and has been one of many extra prolific malware strains lately. Believed to be the successor of REvil, which has hyperlinks to operators in Russia, it first was noticed within the wild again in 2021, based on researchers. BlackCat is written within the Rust language, which provides higher efficiency and efficiencies than different languages beforehand used.  BlackCat is indiscriminate in the way it targets its victims, which vary from healthcare to leisure industries. This weblog will cowl a current incident impacting one of many AT&T Managed Detection and Response (MDR) Safety Operations Heart  SOC’s clients and talk about how in partnering with AT&T Alien Labs, the MDR SOC was capable of detect and remediate the incident. 

Constructing the investigation

On September 14th, 2023, the AT&T MDR SOC acquired a number of alarms indicating that lateral motion was occurring for one in every of our purchasers. The alarm detections have been generated after exercise in SentinelOne for a number of customers making an attempt to carry out community traversing via the purchasers’ surroundings.

­­­­­­BlackCat infection detected

Determine 1. Alarm Detection

The AT&T SOC instantly generated an investigation that included a name to the shopper to inform them of the exercise in addition to escalate the detection to the AT&T MDR Incident Response (IR) Workforce and the shopper’s devoted Risk Hunter. The IR staff and Risk Hunter started the engagement by making a timeline and looking via SentinelOne Deep Visibility instrument. Inside its occasions, they discovered a person was efficiently logged into the shopper’s inner community on a number of endpoints utilizing lsass.exe..  Moreover, a number of recordsdata have been logged as being encrypted, which resulted within the staff designating the incident a ransomware assault.   

lsass activity

Determine 2. Lsass Exercise in SentinelOne

Throughout the assessment of the lsass.exe exercise, a selected file was situated with a suspicious course of tree. A command line was recorded with the file execution that included an inner IP tackle and the person ADMIN$. The exercise from the suspicious file prompted an instantaneous blocklist for the SHA 1 file hash to make sure that the file was unable to be executed throughout the shopper’s surroundings. Following the block of the file hash, a number of detections from SentinelOne populated, indicating that the file was efficiently killed and quarantined and that the shopper’s gadgets have been protected.

BlackCat command line

 Determine 3. File execution command line

After initiating the blocklist, the Risk Hunter utilized the SentinelOne “file fetch” function, which enabled them to obtain the malicious file and save a replica domestically. The AT&T SOC then labored with the AT&T Alien Labs staff to carry out a deeper evaluation of the file as a way to extra perceive  the true nature of the ransomware assault.

Technical analyses

As beforehand talked about, BlackCat ransomware is developed within the Rust programming language, offering the attacker with the flexibility to compile and run it on each Home windows and Linux working techniques.The ransomware employs encryption to hide its strings. Upon execution, every string undergoes decryption via its personal devoted perform, typically using a single-byte XOR key. Initially, the principle payload is decrypted. If the supplied arguments are correct, the ransomware proceeds to decrypt its configuration and different important strings, making certain a easy and safe operation. (See Determine 4.)

BlackCat decryption

Determine 4. Single string decryption routine.

The malware decrypts its configuration utilizing the AES algorithm. (See Determine 5.)

AES decryption

Determine 5. AES algorithm.

BlackCat ransomware configuration consists of the next particulars:

  • File extension for encrypted recordsdata
  • Particular domains, customers, and passwords or password hashes belonging to the focused firm(These credentials have been seemingly acquired in the course of the preliminary levels of the an infection by different malware.)
  • The sufferer person panel on the Tor community containing the ransom calls for made by the attackers
  • An inventory of folders and file extensions to be skipped throughout encryption (e.g., *.exe, *.drv, *.msc, *.dll, *.lock, *.sys, *.msu, *.lnk).
  • Explicit folders to be dealt with (for each Home windows and Linux, because the malware is written in Rust and might be compiled for each techniques)
  • The ransom notice

The malware makes use of the decrypted credentials to start out providers and to maneuver laterally throughout the community. It makes use of the Impacket Python library to hold out the actions. Impacket supplies a variety of capabilities for working with community protocols and creating community functions. It’s notably identified for its potential to control and work together with community packets and carry out numerous duties associated to community penetration testing, safety evaluation, and exploitation. BlackCat makes use of Impacket in a Python script, which is accountable for creating and beginning a service on a distant machine on the community with the ransomware binary. (See Determine 6.)

BlackCat Impacket

Determine 6. Python script for lateral motion utilizing Impacket.

As well as, the malware enhances its influence by deleting Home windows shadow copies, making information restoration more difficult. It accomplishes this via the instructions proven in Determine 7:

  • “cmd” /c “vssadmin.exe Delete Shadows /all /quiet”
  • “cmd” /c “wmic.exe Shadowcopy Delete”

BlackCat delete shadow content

Determine 7. Executing cmd command to delete shadow copies.

Determine 8 reveals an inventory of the instructions supported by the malware:

BlackCat help

Determine 8. BlackCat “assist” web page.

Lastly, the sufferer accesses the web page on the Tor community that reveals the ransom value, stay chat help, and a decryption trial. (See Determine 9.)

BlackCat victim access page

Determine 9. BlackCat ransomware sufferer entry web page.


Utilizing Impacket within the Python script ought to depart remnants of suspicious course of executions. As beforehand talked about, the creation and begin of the brand new service ought to have a course of tree of providers.exe spawning new service/payload onto the $ADMIN share on the goal asset.

detecting sus process

Figure10. Suspicious Course of

As soon as the payload is executed, the attacker begins deleting the shadow copy recordsdata. This can be a frequent method ransomware assaults use to make sure that restoration efforts are unsuccessful. The LOLBAS utilities utilized to undertake this job have been vssadmin.exe and wmic.exe. Detection for this exercise ought to deal with the method command line being run.

attacker deleting shadows

Figure11. Vssadmin.exe



impacket rule

deletion shadow rule


The next USM Anyplace  correlation guidelines might support in detecting among the exercise described within the malware.

USM Anyplace correlation guidelines

Home windows Shadow Copies Deletion

Potential Impacket Lateral Motion Exercise



Following the incident, the data from the AT&T Alien Labs staff was supplied to the shopper. The shopper then labored carefully with the assigned Risk Hunter to implement the really helpful remediation steps, which have been as follows:

  • Confirm any new teams or admins that have been created
  • Provoke a password reset for all admin customers
  • Drive a password reset for all customers throughout their subsequent login
  • Reboot any servers affected by the incident
    • This step will shut all lively distant desktop periods
  • Confirm any set up of distant administration software program
  • Assessment all present software program put in throughout the surroundings
  • Assessment any exterior going through portals within the surroundings
  • Rotate the Kerberos password twice
  • Blacklist the file making an attempt to execute the ransomware
  • Rebuild any contaminated Area Controllers
  • Assessment the record of customers listed within the information pulled from Alien Labs
    • Compromised person passwords

With the help of the AT&T Alien Labs staff, Incident Response staff, and Risk Hunter, the shopper was capable of assessment the data and make sure the risk was unable to achieve entry into their surroundings post-incident.



Please enter your comment!
Please enter your name here