BlackCat/ALPHV ransomware has begun using a new tool called “Munchkin,” which uses virtual machines to surreptitiously distribute decryptors to network devices.

Manchkin allows BlackCat to run on remote systems or encrypt Server Message Block (SMB) or Internet File Sharing (CIFS) network shares. The addition of Munchkin to BlackCat’s already significant and advanced arsenal makes RaaS more attractive to cybercriminals looking to partner with ransomware.

hiding in VirtualBox

Unit 42 of Palo Alto Networks discovered that BlackCat’s new Munchkin tool is a customized Alpine OS Linux distribution that comes as an ISO file. After jailbreaking the device, the attackers install VirtualBox and create a new virtual machine using the Munchkin ISO.

This Munchkin virtual machine contains a set of scripts and utilities that allow threat actors to reset passwords, distribute them over the network, create the BlackCat “Sphynx” encryption payload, and run programs on networked computers.

On boot, it replaces the root user’s password with one known only to the attackers and uses the tmux utility to launch a Rust-based malware binary called “controller”, which begins downloading the scripts used in the attack.

These scenarios are listed below:

The “controller” uses a complete configuration file that provides access tokens, victim credentials, and authentication secrets, as well as configuration directives, folder and file block lists, tasks to execute, and hosts to encrypt.

This configuration is used to create custom BlackCat encoder executables in the /payloads/ directory; these are then sent to remote devices to encrypt files or encrypt SMB and CIFS network shares.

Unit 42 discovered in the malware code a message that BlackCat authors sent to their partners warning them not to leave the ISO on target systems due to the lack of encryption for the configuration, specifically highlighting the risk of chat access tokens being leaked.

A common problem for victims of ransomware and cybercriminals is that samples are often leaked through malware analysis sites. Analysis of ransomware samples allows researchers to gain full access to the chat between a ransomware gang and its victim.

To avoid this, affiliates provide access tokens to the Tor negotiation site upon startup. Therefore, it is not possible to access the victim’s chat conversation even if they have access to the sample used in the attack.

Therefore, attackers warn affiliates that they must remove their Munchkin VMs and ISOs to prevent these access tokens from being leaked. The developers also include instructions and tips for using the Controller to monitor attack progress and launch missions.

Munchkin makes it easier for BlackCat-related ransomware to perform a variety of tasks, including bypassing security solutions protecting the victim’s device. This is because virtual machines provide a certain level of isolation from the operating system, making them difficult for security software to detect and analyze.

Additionally, choosing Alpine OS provides a small digital footprint, and automatic device operations reduce the need for manual intervention and noise from command channels. Finally, Munchkin’s modularity, including a variety of Python scripts, unique configurations, and the ability to modify payloads as needed, makes it easy to customize the tool for specific goals or campaigns. Source