A new ransomware operation, dubbed Buhti, is using the leaked source code of the encryptor from LockBit and Babuk ransomware. It, additionally, uses a custom-developed information stealer to exfiltrate data. Research suggests that this ransomware is not associated with any existing threat groups, Therefore, its developer is being tracked as a new group known as Blacktail.
Reuse of leaked source codes
Symantec researchers discovered new samples of this malware targeting Windows computers. It uses a modified version of the LockBit 3.0 variant, aka LockBit Black. The source code for Windows LockBit 3.0 builder was leaked in September 2022.
The initial samples, detected by Unit 42 in February, targeted only Linux.
For the Linux variant, Blacktail leveraged the Babuk source code, which was publicly posted in a Russian hacking forum in September 2021.
Not just a copycat
Although Buhti adapts its encryptor from leaked source codes, it cannot be considered a copycat malware. This is because it has invested significant effort into developing its custom exfiltration tool and proactive network infiltration tactics.
The exfiltration tool, written in Golang, is designed to steal files, archive them, and send them to an attacker-controlled server.
For network exfiltration, it abuses the recently patched vulnerability CVE-2023-27350 in PaperCut NG and MF to target both Windows and Linux machines.
The malware samples detected in February exploited the deserialization vulnerability CVE-2022-47986 in IBM’s Aspera Faspex.
Upon infection, it attempts to install genuine tools, such as AnyDesk, ConnectWise, Meterpreter, Cobalt Strike, and Sliver, to steal credentials and files, move laterally across the network, and deploy additional payloads.
Concluding notes
Buhti stands as an example of how any budding threat actor is able to leverage leaked source codes to rapidly build multi-OS ransomware. Moreover, the leveraging of recently disclosed vulnerabilities hints that Blacktail is proactively and regularly putting efforts into enhancing Buhti. Thus, this competent threat can not be underestimated and calls for proactive defense strategies against ransomware attacks, including implementing a robust patch management system, and using genuine data security software.