BlackCat Group Adopts a New Tactic to Circumvent Security Solutions | Cyware Hacker News

The BlackCat group has yet again added a new tool to its arsenal to evade detection by security solutions offered by different vendors. The attackers have created a new utility called Munchkin that allows them to run the ransomware payload on remote machines, or to encrypt remote Server Message Block (SMB)/Common Internet File Shares (CIFS). 

This comes over a month after Microsoft reported that it found a new version of the BlackCat ransomware using tools such as  Impacket and RemCom to facilitate lateral movement and remote code execution attacks in targeted environments.

What’s the new update?

The Munchkin utility is distributed as an ISO file, which is loaded into VirtualBox for execution. 
  • This ISO file contains a custom Alpine OS installation, which upon execution enables the malware to change the root password of virtual machines and subsequently execute the malware binary named controller.
  • The controller malware is written in Rust and resembles the BlackCat malware family. 
  • It aims to infect specific SMB/CIFS drives, record activities in various output logs and once the operation is complete, it powers off the VM.

Affiliates carrying out attacks

It is to be noted that the attackers are not only updating their tools to evade detections but the affiliates of the group have recently been involved in multiple cyberattacks across the world.

  • The group claimed responsibility for targeting 10 banks using the Quality Service Installation (QSI) service by revealing that it stole around 5TB of sensitive data. 
  • In another incident, the Motel One Group disclosed that it was impacted by BlackCat ransomware attacks wherein attackers stole some customer data, including the details of 150 credit cards.
  • Additionally, an affiliate of BlackCat disrupted MGM Resorts’ operations by encrypting more than 100 ESXi hypervisors.


Amidst the hacking spree by the ransomware group and continued attempts to evolve their techniques, organizations are recommended to leverage the updated IOCs associated with the malware to stay safe. Additionally, implementing a robust TIP helps to detect and thwart such threats automatically.