Focus Mode
Threat Research

On the Case of Onomastics Gymnastics: Detecting Spoofing and Business Email Compromise in Multi-Name Users by Roberto Romeu

DarkTrace

Summary:

BlackSuit ransomware has emerged as a significant threat since late 2023, targeting various industries and employing double extortion tactics. With demands exceeding USD 500 million, it has affected numerous organizations globally. The ransomware’s sophisticated methods include exploiting VPN vulnerabilities and utilizing remote management tools for command-and-control activities.

Keypoints:

  • BlackSuit ransomware detected infiltrating multiple networks in the US since late 2023.
  • Targets a wide range of industries, including healthcare, education, IT, and government.
  • Employs double extortion tactics, encrypting files and stealing sensitive data.
  • Demands over USD 500 million in ransom, with individual demands reaching USD 60 million.
  • Notable victims include CDK Global, Kadokawa, and the government of Brazil.
  • Utilizes various attack vectors, including VPN compromises and remote management tools.
  • Darktrace reported multiple cases of BlackSuit attacks with significant data exfiltration.
  • Ransomware tactics are evolving, highlighting the need for robust cybersecurity measures.

    • MITRE Techniques:

  • Account Manipulation (T1098): Exploits user accounts to maintain persistence.
  • Alarm Suppression (T0878): Disables or modifies security alarms to evade detection.
  • Application Layer Protocol (T1071): Utilizes application layer protocols for command and control.
  • Automated Collection (T1119): Collects data automatically from compromised systems.
  • Data Encrypted for Impact (T1486): Encrypts data to disrupt operations and demand ransom.
  • Exfiltration Over C2 Channel (T1041): Exfiltrates data through command and control channels.
  • Exploitation of Remote Services (T1210): Exploits remote services for lateral movement.
  • Valid Accounts (T1078): Uses valid accounts for unauthorized access and persistence.

    • IoC:

  • [domain] mystuff.bublup[.]com
  • [domain] bublup-media-production.s3.amazonaws[.]com
  • [ip address] 137.220.61[.]94
  • [ip address] 173.251.109[.]106
  • [ip address] 216.151.180[.]147
  • [file name] readme.blacksuit.txt
  • [file extension] .blacksuit
  • [file name] zzza.exe
  • [file name] socks5.ps1

    • Full Research: https://darktrace.com/blog/onomastics-gymnastics-how-darktrace-detects-spoofing-and-business-email-compromise-in-multi-name-users

    Tags: COLLECTION, LATERAL MOVEMENT, EXFILTRATION, EMAIL, IMPACT, SPOOFING, VPN, GOVERNMENT