By Cyber Threat Intelligence Team
Arete observed an overlap between a recent BlackMatter case and a Q1 2021 REvil case. In both instances, the actors leveraged the NodeJS-based Gootloader to deliver a CobaltStrike payload.
In a March 2021 insight, Arete detailed findings related to complex watering-hole infrastructure used to deliver Gootloader to unsuspecting victims. Highlights included:
- REvil actors leveraged compromised web servers of legitimate businesses to host Gootloader.
- Actors leveraged search engine optimization (SEO) hijacking to push malicious results to the top.
- The malicious search results led to an actor-controlled site masquerading as a legitimate messaging board.
- The board contained fake posts by different users, including an “admin” account (Figure 1).
- The download link in Figure 1 led to a JS-payload that installed a CobaltStrike (CS) beacon.
- The actor leveraged CS to move laterally within the victim’s network to deploy and execute the REvil ransomware.
While watering-hole attacks have been around for years, Arete did not previously observe this specific watering-hole site configuration in the wild or associated with ransomware threat group activity until this specific REvil investigation and response in Q1 2021. Fast forward a few months and REvil is no longer operational and their infrastructure (e.g., communication site, storage sites) is offline. The cause of the REvil’s disappearance is unknown, but the group’s tactics, techniques, and procedures (TTPs) live on with another group: BlackMatter.
In August 2021, Arete was engaged to investigate and respond to a BlackMatter ransomware attack that impacted a law practice in the Midwest United States. Forensic timeline analysis of the observed indicators of compromise (IoCs) led Arete to assess that while the BlackMatter ransomware payload was detonated in August 2021, the initial compromise originally occurred in May 2021 and was attributed to the same type of Gootloader JS payload that impacted the professional services organization we assisted in Q1 2021.
Analysis indicated that in early May 2021, an employee of the victim organization searched in Google for “intercompany agreement transfer pricing sample.” As was the case with the Q1 2021 REvil incident, the actors leveraged SEO hijacking to prioritize the Gootloader infected pages. Arete observed that several keywords were altered to reflect the employee’s search terms (Figure 2).
When compared side by side with the Gootloader watering hole REvil leveraged in Q1 2021, these pages are nearly identical (save for a different link, a different title of the document the user was searching for, and some slight modification to the icons of the fake forum users). Arete observed similarities between the watering hole leveraged by REvil and the watering hole leveraged by BlackMatter (Figure 1, Figure 3, and Figure 4). Similar behavior was previously reported for other Gootloader campaigns, including but not limited to matching “forum themes” and multi-language versions of the forums.
Dynamic analysis of the BlackMatter Gootloader sample resulted in different domain callouts for command-and-control (C2) infrastructure when compared against the older Gootloader sample associated with the Q1 2021 REvil attack. Those domain callouts are documented below for incorporation into EDR/HIDS/NIDS:
While it’s impossible to confirm with absolute certainty the linkage between REvil and BlackMatter, it is notable that both groups share a similar initial access tactic of leveraging fake forum posts weaponized with Gootloader, coupled with SEO hijacking, to gain an initial foothold in targeted environments.
The Arete Threat Intelligence and Forensics teams continue to monitor any potential changes to TTPs for BlackMatter or the re-emergence of REvil.
Arete would like to acknowledge the contributions of Senior Forensic Analyst Robert Christine for documenting and timelining the indicators and observables that led to this discovery.