The BlackCat ransomware group (aka ALPHV) is using a new tool, called Munchkin, that utilizes virtual machines (VMs) to deploy encryptors on network devices. Munchkin is a customized Alpine OS Linux distribution that comes as an ISO file. Using the Munchkin tool, BlackCat can run remote systems or encrypt remote Server Message Block (SMB) or Common Internet File (CIFS) network shares. After compromising a device, the threat actors install VirtualBox and create a new VM using the Munchkin ISO.
The Munchkin VM includes a suite of scripts and utilities that allow the threat actors to dump passwords, spread laterally on the network, build a BlackCat “Sphynx” encryptor payload, and execute programs on network computers. Upon boot, it changes the root password to one known only by the attackers. It also leverages the “tmux” utility to execute a Rust-based malware binary named “controller” that loads scripts used in the attack.
Impact
Initial research indicates that Munchkin contains a variety of Python scripts, unique configurations, and the ability to swap payloads as needed. This makes it highly customizable for specific targets or campaigns. In addition, the use of VMs provides a layer of isolation from the operating system that can make detection and analysis difficult for security tooling.
DXC perspective
To mitigate, organizations should monitor for abnormal user/service account behavior and new VM instances. They should also install and regularly update antivirus software on all hosts, enable real-time detection, regularly back up data, and password-protect backup copies offline.
In addition, we recommend that all updates and patches for the OS, software and firmware be installed as soon as they’re released. To limit interruptions, best practices include implementing network segmentation and (as mentioned above) maintaining offline backups.
