A Closer Look at BlackMagic Ransomware

Originally published by Cyble on December 7, 2022.

New Ransomware disrupting Transportation and Logistics Industry in Israel

During a routine threat-hunting exercise, Cyble Research and Intelligence Labs (CRIL) came across a new ransomware group named “BlackMagic” ransomware. This ransomware group uses a double extortion technique to target its victims, in which it first exfiltrates the victim’s data, followed by encryption. This group has disclosed details of over ten victims to date, and all of them are from Israel, indicating the possibility that it is conducting targeted attacks. This group is suspected to be originated from Iran.

During our analysis, we found that the ransom note used by this gang does not have any crypto address or contact details for ransom payments. Instead, it contains links to social media channels used for advertising the victim’s data, as shown in Figure 1. This indicates that the ransomware group is interested in selling the exfiltrated data rather than demanding money from its victims.

Figure 1 – BlackMagic Ransom Note

The Threat Actors (TA)s behind this group are using multiple cybercrime forums to sell the data obtained from these attacks. TA claims to have 50GB of data from Israeli transportation companies. They also claimed that these attacks include sensitive data of over 65% of Israeli citizens. The figure below shows the post made by TA on a cybercrime forum.

Figure 2 – BlackMagic’s TA Selling Data

BlackMagic ransomware has targeted many companies from Israel’s Transportation and Logistics industry. The group claims to have hampered the logistics operation by destroying companies’ databases and changing the lading bills. The figure below shows the claims made by the ransomware group.

Figure 3 – Targetting Transportation and Logistics Industry

We have also observed a few instances where this group defaced the victim’s website. The figure below shows the web defacement done by the BlackMagic group.

Figure 4 – Website Defacement

The ransomware payload comes from hxxp[:]//5.230.70[.]49/dll/microsoftupdatedefender[.]rar and the microsoftupdatedefender[.]rar file contains two files named “MicrosoftUpdate.dll” and “back.bmp”. The ransomware DLL file is further dropped in the location
C:\Users\Public\Documents\” and executed using rundll32.exe. We suspect this ransomware DLL could have been dropped and executed either manually or using other malware.

Technical Analysis

This ransomware group uses a 64-bit DLL file as its payload. File hash (SHA256: 8f855ed4c2f17487bac5d5079437acd728ccd68d93b49ab2f5b6d6d2430da133).

This DLL file has only one exported function called Black. This function is responsible for executing the main functionalities of BlackMagic ransomware.

Figure 5 – DLL Export

Upon execution, the ransomware calls the Sleep() function several times to evade sandbox detection. For smooth encryption in the victim’s system, this ransomware kills specific processes using the command “taskkill /f /im <process name>*”. The ransomware has the following hardcoded process names in its binary for terminating them.

teamview, anydesk, tnslsnr, vmware, nginx, httpd, docker, bak, site, db, postfix, imap, pop, clamav, qemu, cpanel, note, powerpnt, winword, excel, exchange, sql, tomcat, apache, java, python, vee, post, mys, vmwp, virtualbox, vbox, sqlserver, mysqld, omtstreco, oracle, mongodb, invoice, inetpub

The figure below shows the part of the code responsible for killing processes.

Figure 6 – Killing Processes

After this, the ransomware executes the reg add command to disable the task manager by adding a key, “hkcu\\software\\microsoft\\windows\\currentversion\\policies\\system /v disabletaskmgr /t reg_dword /d 1 /f”. The figure below shows the registry key added by the ransomware to disable the task manager.

Figure 7 – Disabling Task Manager

Next, the ransomware fetches the victim’s local IP address using the ipconfig command and forms the URL “hxxp[:]//5.230.70[.]49/api/public/api/test?ip=<Victim’s local IP> &status=0&cnt=100&type=server&num=11111170” and sends GET request to its remote server. The below image shows the code snippet used by the ransomware for forming the URL to send a GET request.

Figure 8 – Using ipconfig

The ransomware now calls the GetLogicalDriveStringsA() API to findthe attached drives in the victim’s system and enumerate files in the identified drive for encryption. Before processing files for encryption, it drops a ransom note named “HackedByBlackMagic.txt” in all the folders. BlackMagic ransomware uses the Rijndael algorithm for performing encryption. The figure below shows the implementation of the Rijndael encryption algorithm in the ransomware binary.

Figure 9 – Using Rijndael Encryption Algorithm

After encrypting the victim’s files, it renames them by appending “.BlackMagic” as an extension. This ransomware encrypts nearly all the files and excludes executable and DLL files in certain windows critical folders. The figure below shows the encrypted files.

Figure 10 – Appending “.BlackMagic” as an extension

Finally, the ransomware creates a .bat file named “next.bat” in “C:\Users\Public\Documents”, writes a sequence of commands to it, and then executes it. The ransomware creates and executes “next.bat” to delete its traces after encrypting the files in the victim’s machine and changing the desktop background. The following table shows the .bat file commands along with their description.

The desktop wallpaper might not change for every victim as the ransomware deletes the back.bmp file using .bat commands. The figure below shows the final state of the infected system with a changed background.

Figure 11 – Changing the victim’s wallpaper

Conclusion

Based on the activities of the BlackMagic ransomware group, we suspect them to be politically motivated, but it is currently unclear to predict how they will evolve in the future.

In 2021, Moses Staff hacking team surfaced, targeting Israel-based organizations. They were deploying ransomware but were not demanding ransom payments and leaking victims’ data. BlackMagic also appears to have similar techniques, but they appear to be financially motivated, as we witnessed them selling victims’ data.

We did not encounter any ransom demands made by this group to date, and the ransomware payload was encrypting .exe and .dll files which are atypical for ransomware to encrypt, indicating that TAs might be deploying ransomware to disrupt operations.

Our Recommendations

The following essential cybersecurity best practices create the first line of control against attackers. We recommend that our readers follow best practices as given below:

• Monitor incoming emails from suspicious and potentially malicious domains.
• Back up data on different locations and implement Business Continuity Planning (BCP). Keep the Backup Servers isolated from the infrastructure, which helps fast data recovery.
• Frequent Audits, Vulnerability Assessments, and Penetration Testing of organizational assets, including network and software.
• Enforcement of VPN to safeguard endpoints.
• Conduct frequent training on security awareness for the company’s employees to inform them about emerging threats.
• Implementation of technology to understand the behavior of the ransomware-malware families and variants to block malicious payloads and counter potential attacks.

MITRE ATT&CK® Techniques

Indicators of compromise