Blacktail

Blacktail, a recognized threat actor in the cybersecurity landscape, has been drawing attention with its evolving modus operandi. Recent findings from Symantec suggest that Blacktail is now leveraging modified versions of leaked LockBit 3.0 and Babuk ransomware source codes to target Windows and Linux systems respectively. The group's ability to repurpose these leaked payloads, typically a sign of less-skilled operations, combined with their overall competence in executing attacks and their readiness to exploit newly discovered vulnerabilities, underscores the sophistication of their operations. The group's activities have been monitored since it was first identified as the operators behind Buhti. Blacktail has shown proficiency in exploiting recent vulnerabilities, such as CVE-2023-27350, a PaperCut NG/MF flaw leading to remote code execution. This vulnerability has been exploited in the wild since mid-April, indicating the group's agility in capitalizing on new exploits. Despite the rebranding changes, Blacktail continues to use at least one piece of custom malware, a data exfiltration tool written in Go, designed to steal files with specific extensions prior to encryption. In summary, Blacktail represents a significant cyber threat due to its ability to adapt and leverage both existing and emerging vulnerabilities. Their use of a custom data exfiltration utility highlights their technical prowess and ability to execute complex cyberattacks. As they continue to target organizations globally, it is crucial for cybersecurity defenses to stay abreast of Blacktail's evolving tactics and tools to effectively mitigate the risks they pose.