Photo by Andrew Neel on Unsplash
New Buhti Ransomware Operation Uses Rebranded Lockbit And Babuk Payloads
The researchers also observed attacks against Linux systems with Golang-based variants of the Babuk ransomware, which was released on hacking forums in September 2021. This variant used in the attacks targets ESXi systems.
The information stealer used by the group is written in Golang, it allows operators to look for specific files (pdf, .php, .png, .ppt, .psd, .rar, .raw, .rtf, .sql, .svg, .swf, .tar, .txt, .wav, .wma, .wmv, .xls, .xml, .yml, .zip, .aiff, .aspx, .docx, .epub, .json, .mpeg, .pptx, .xlsx, .yaml. ) and then store them in a compressed .ZIP archive.
“The tool can be configured via command-line arguments to specify both the directory to search for files of interest in and the name of the output archive. The -o argument in the command line specifies the archive to be created. The -d argument specifies the directory to search for files of interest in.” reads the post published by Symantec.
The attackers exploited the vulnerability in PaperCut NG and MF (CVE-2023-27350) to install Cobalt Strike, Meterpreter, Sliver, AnyDesk, and ConnectWise hacking tools.
In February, the group was observed exploiting a vulnerability in IBM’s Aspera Faspex file-exchange application (CVE-2022-47986).
“While the reuse of leaked payloads is often the hallmark of a less-skilled ransomware operation, Blacktail’s general competence in carrying out attacks, coupled with its ability to recognize the utility of newly discovered vulnerabilities, suggests that it is not to be underestimated.” concludes the report.
By
Pierluigi Paganini