BlackCat Sphynx: A New Threat in the Cybersecurity Landscape
BlackCat Sphynx: A New Threat in the Cybersecurity Landscape
The cybercrime world is constantly evolving and introducing new challenges for security professionals and organizations. One of the latest threats is a ransomware family called Sphynx, developed and distributed by a notorious cyber gang known as BlackCat. In this blog post, we will provide an overview of BlackCat and Sphynx, and discuss their features, techniques, and impact.
Who is BlackCat?
BlackCat, also known as ALPHV and Noberus, is a ransomware-as-a-service (RaaS) group that emerged in November 2021. RaaS is a business model where ransomware developers offer their malware for use by affiliates, who are responsible for infecting victims and collecting ransom payments. The developers then take a percentage of the profits. According to the FBI, many of the developers and money launderers for BlackCat are linked to DarkSide and BlackMatter, two defunct RaaS groups that were behind some of the most notorious ransomware attacks in history, such as the Colonial Pipeline and JBS incidents
BlackCat operates on a double or triple extortion tactic, which means that they not only encrypt the victim’s data, but also exfiltrate it and threaten to publish it on their public data leak site, or launch distributed denial-of-service (DDoS) attacks on the victim’s infrastructure, if the ransom is not paid.
BlackCat has targeted hundreds of organizations worldwide, including universities, government agencies, and companies in various sectors, such as energy, technology, manufacturing, and transportation. Some of their high-profile victims include Reddit, Fidelity National Financial, and Mr. Cooper. BlackCat typically demands ransom payments of several million dollars in Bitcoin or Monero, and has been known to negotiate or lower their initial demands
What is Sphynx?
Sphynx is the name of the ransomware family that BlackCat uses to encrypt and extort their victims. Sphynx is written in Rust, a programming language that is relatively uncommon for malware development, but offers some advantages, such as memory safety, performance, and cross-platform compatibility. Sphynx encrypts the victim’s files with a strong AES-256 algorithm, and appends a random extension to them. It also drops a ransom note named HOW_TO_RECOVER_FILES.txt, which instructs the victim to contact the attackers via email or Tor to receive the decryption key and the payment instructions
Sphynx relies on various techniques to infiltrate and spread across the victim’s network, such as exploiting outdated and unpatched VPNs and firewalls, using stolen credentials obtained from initial access brokers, or leveraging legitimate penetration testing tools, such as Cobalt Strike or BloodHound, to perform lateral movement and privilege escalation. Sphynx also tries to evade detection and analysis by using obfuscation, encryption, anti-debugging, and anti-VM techniques, as well as deleting shadow copies and disabling security software
Why is Sphynx a serious threat?
Sphynx is a serious threat for several reasons. First, it is backed by a sophisticated and experienced cyber gang that has access to a large network of affiliates and resources. Second, it uses a powerful and versatile programming language that allows it to target multiple platforms and systems. Third, it employs a combination of encryption, exfiltration, and DDoS attacks to maximize the damage and the pressure on the victims. Fourth, it exploits various vulnerabilities and tools to gain initial access and persistence on the victim’s network. Fifth, it implements various anti-detection and anti-analysis mechanisms to evade security solutions and researchers.
Identification
| Size | 32.97 MB |
| SHA256 | 40278f86caa9ceb72a5e5d272b28cbafa01865ecbaec3a8eead11093f1237714 |
| MD5 | 5b39661efe8a8f49623b3088d88acdc4 |
| File Type | Win32 EXE |
| SHA1 | 209f8748ff00c994968ba9748428f7e165c44383 |
| Ssdeep | 786432:idxIB6uWeTrTms1darsJYY4L80yfEt7qY04wjejBsnktO:idxIB6yTusjarrnlyfEqoBsniO |
| VirusTotal | Report (41 / 72 Detections) |
| Target Machine | Intel 386 or later, and compatibles |
| Compilation Timestamp | 21 Nov 2023 06:59:48 |
Before going into detailed analysis, I will use the DIE tool for preliminary analysis and look at the entropy of the malicious code sample we will analyze.
Metadata of sample
Entropy of sample
Sphynx is written with Rust, a programming language that’s rather uncommon for malware development and offers some benefits in terms of Memory Safety, Performance And Cross Platform Compatibility.
GetCommandLineW is a Windows API function that returns the command line string for the current process. It can be used by console and GUI applications to access the command-line arguments passed to the main or wmain functions. Sphynx uses GetCommandLineW to directly receive commands executed by hackers.
By using the Sleep function, the code can delay the execution and make the debugger take longer to step through it. This is a technique to hinder reverse engineering by making the disassembly process more difficult.
sub_784d50 is an important function. During the process of analyzing malware samples, I encountered many of its occurrences. Here it plays a major role in getting the path of the resources that Sphynx will encrypt.
The attacker uses CoCreateGuid to generate a random GUID and creates a registry key with that name in the subkey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options (IFEO). This subkey allows the system to execute a debugging program before launching the target program. An attacker can then set the value of the Debugger entry in the newly created subkey to point to a malicious executable that will run with the same privileges as the target program.
The attacker can then wait for the target program to be launched by a privileged user, such as an administrator or system service. When the target program is launched, the system first checks the IFEO subkey to find a matching registry key with the same name as the target program. If found, it executes the debugger specified by the Debugger entry instead of the target program. This way, an attacker can run a malicious executable with elevated privileges.
Sphynx uses CoCreateGuid to generate random GUIDs that are unlikely to be used by any legitimate program. An attacker could then create a registry key with that name in the IFEO subkey and set the Debugger entry to point to the malicious executable.
In this way, an attacker can create a temporary registry key that only lasts for a short period of time, during which the target program is launched and the malicious executable file is executed. The Registry key will then be automatically deleted, leaving no trace of the attack.
CreateNamedPipeW is used to create a unique communication channel between the malware and the remote server. CreateNamedPipeW also allows the malware to set the security attributes of the pipe, such as granting full access to the creator and denying access to others. This way, the malware can prevent unauthorized access or tampering with the pipe.
Using BCryptGenRandom, the ransomware calculates a random AES key. The BCryptGenRandom function was observed to be called multiple times for the encryption process
To find all the files on the system, BlackCat first uses a loop of FindFirstFileW and FindNextFileW functions to scan the system.
CopyFileExW is used to create a copy of the original file before encrypting and wiping it.
CreateFileW, WriteFileEx, DeleteFileW, GetTempPathW are used in the encryption process with the function of creating files, writing encrypted files as well as ransom notes to encrypted folders, deleting original files on system, get the TEMP directory path for executing the malicious payload.
In addition, Sphynx also shuts down processes that may affect the encryption process by calling the TerminateProcess function.
| SHA256 | Path | Type | Classification |
|---|---|---|---|
| 40278f86caa9ceb72a5e5d272b28cbafa01865ecbaec3a8eead11093f1237714 | 40278f86caa9ceb72a5e5d272b28cbafa01865ecbaec3a8eead11093f1237714 | Main file | Malicious |
How to protect against Sphynx?
To protect against Sphynx and other ransomware threats, organizations should adopt a multi-layered approach that includes the following measures:
- Implement a robust backup and recovery strategy that ensures the availability and integrity of critical data and systems.
- Apply the latest security patches and updates to all devices and applications, especially VPNs and firewalls, to prevent exploitation of known vulnerabilities.
- Enforce strong password policies and use multi-factor authentication to prevent credential theft and misuse.
- Educate and train employees and users on how to recognize and avoid phishing emails and malicious attachments or links, which are common vectors for ransomware delivery.
- Deploy and update security software and tools, such as antivirus, firewall, endpoint detection and response (EDR), and network monitoring, to detect and block malicious activities and anomalies.
- Isolate and disconnect infected devices from the network as soon as possible to prevent further spread and damage.
- Contact law enforcement and security experts in case of a ransomware attack, and avoid paying the ransom, as it does not guarantee the recovery of the data and encourages further attacks.
I hope you enjoyed this blog post and learned something new about BlackCat and Sphynx. Stay tuned for more cybersecurity insights and updates from our team.
Malicious 40278f86caa9ceb72a5e5d272b28cbafa01865ecbaec3a8eead11093f1237714 - Intezer BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration (securityintelligence.com)