While analyzing attacks on Russian organizations, our team regularly encounters overlapping tactics, techniques, and procedures (TTPs) among different cybercrime groups, and sometimes even shared tools. We recently discovered one such overlap: similar tools and tactics between two hacktivist groups – BlackJack and Twelve, which likely belong to a single cluster of activity.
In this report, we will provide information about the current procedures, legitimate tools, and malware used by the BlackJack group, and demonstrate their similarity to artifacts found in Twelve’s attacks. We will also analyze another recently discovered activity that has much in common with the activity of the potential cluster.
BlackJack is a hacktivist group that emerged at the end of 2023, targeting companies based in Russia. In their Telegram channel, the group states that it aims to find vulnerabilities in the networks of Russian organizations and government institutions.
As of June 2024, BlackJack has publicly claimed responsibility for over a dozen attacks. Our telemetry also contains information on other unpublicized attacks, where indicators suggest BlackJack’s involvement.
The group only uses freely available and open-source software, such as the SSH client PuTTY or the wiper Shamoon, which has been available on GitHub for several years. This confirms that the group operates as hacktivists and lacks the resources typical of large APT groups.
BlackJack uses a version of the Shamoon wiper written in Go in their attacks. Static analysis helped us extract the following characteristic strings:
During our research, we found Shamoon samples in the following locations:
Sysvol\domain\scripts \\[DOMAIN]\netlogon\ C:\ProgramData\ |
In addition to the wiper, BlackJack also uses a leaked version of the LockBit ransomware to harm their victims.
We found the ransomware in the same directories as the wiper:
Sysvol\domain\scripts \\[DOMAIN]\netlogon\ C:\ProgramData\ |
The network directories for placing the malware were not chosen at random. This allows the attackers to spread their samples across the victim’s infrastructure and later place them in C:\ProgramData\ for further execution in the system.
To launch LockBit, the attackers use scheduled tasks containing the following command line (the 32-character password may vary depending on the host or victim):
C:\ProgramData\bj.exe -pass aa83ec8e98326e234260ebb650d48f20 |
The ransom note only contains the name of the group:
This confirms that the group is not aiming for financial gain, but rather to cause damage to the compromised organization.
To maintain persistent access to compromised victim resources, the attackers use tunneling with the common ngrok utility. We found the utility and its configuration file in the following directories:
Paths | Description | ||
|
Archive containing executable and configuration files. | ||
|
Ngrok executable file. | ||
|
Configuration file containing an authentication token and other information. |
Here is a list of commands related to ngrok execution:
Commands | Description | ||
|
Ngrok authentication process. | ||
|
Launches the ngrok.exe process and creates a TCP tunnel on port 3389 (RDP). | ||
Alternative for creating a TCP tunnel on port 3389 (RDP). | |||
Creates a UDP tunnel on port 3389 (RDP). |
To ensure remote access to the system, BlackJack installs various remote access tools (RATs). Judging by the incidents we studied, the attackers initially attempted to use the Radmin utility, but all the external connections we observed were made through AnyDesk.
During the RAT installation, the attackers created the following services:
Service name | Launch commands | ||
Radmin Server V3 |
|
||
raddrvv3 |
|
||
AnyDesk Service |
|
Additionally, the popular SSH client PuTTY was used to connect to certain hosts within the infrastructure.
The malware and legitimate tools described above significantly overlap with the arsenal of the hacktivist group Twelve. This group also relies on publicly available software and does not use proprietary tools in its attacks.
Most of the connections and overlaps between the two groups were discovered through Kaspersky Security Network (KSN) telemetry and Kaspersky Threat Intelligence solutions. KSN telemetry is anonymized data from users of our products who have consented to share and process this information.
Let’s first examine the similarities between the ransomware and wiper samples from the BlackJack and Twelve groups. Below is the information from the Kaspersky Threat Intelligence Portal (TIP) on the LockBit ransomware file discovered while investigating the BlackJack attacks:
The sample is named bj.exe, presumably an abbreviation for the BlackJack group. Among other things, the TIP page shows a list of similar files compiled using the Similarity technology, which identifies files with similar patterns. Although the sample used by the hacktivists was created with the leaked LockBit builder, Similarity first identifies the most closely related files. Note the first hash in the list: 39B91F5DFBBEC13A3EC7CCE670CF69AD.
Checking this hash on the Threat Intelligence Portal reveals that it was mentioned in our recent investigation into the Twelve group.
This suggests that the two groups use similar LockBit samples. Additionally, analysis of the configuration of the two samples (BlackJack and Twelve) showed that their exclusion lists (files, directories, and extensions to leave unencrypted) are identical.
Just like the BlackJack’s LockBit sample, the Twelve group’s ransomware also has a list of similar files.
Upon checking one of them (underlined in red on the screenshot), we found that the file was also named bj.exe. This means that it is another instance of the BlackJack group’s ransomware, further indicating that the two groups use nearly identical LockBit samples.
Below is a list of paths where LockBit samples were found during the investigation of incidents related to the BlackJack and Twelve groups:
BlackJack | Twelve |
\\[DOMAIN]\netlogon\ | \\[DOMAIN]\netlogon\ |
C:\ProgramData\ | C:\ProgramData\ |
Sysvol\domain\scripts | – |
Summing up the ransomware analysis, we can draw the following conclusions:
Let’s continue searching for further connections.
The study of wiper samples from incidents involving the BlackJack and Twelve groups also revealed similarities between them.
Both wipers overwrite the MBR record with almost identical placeholder strings:
By analyzing the BlackJack wiper on the Threat Intelligence Portal, we found that in some cases it was extracted from the following archive:
Examining the archive, we found the Chaos ransomware – 646A228C774409C285C256A8FAA49BDE:
Moreover, this file was mentioned in our report on the Twelve group. That is, malware from both groups is distributed in the same archive.
Checking the file names and paths, we discovered a familiar network directory \sysvol\domain\script.
In addition, during our investigation of attacks carried out by the Twelve group, we also found the use of Shamoon-based wipers. Moreover, according to KSN data, a specific variant of Shamoon, which was involved in BlackJack group attacks, was also seen in some Twelve attacks.
Similar to the analysis of the LockBit ransomware, we decided to study the paths where the wipers were found in incidents related to the BlackJack and Twelve groups. As you can see from the table below, these paths are identical:
BlackJack | Twelve |
Sysvol\domain\scripts | Sysvol\domain\scripts |
\\[DOMAIN]\netlogon\ | \\[DOMAIN]\netlogon\ |
C:\ProgramData\ | C:\ProgramData\ |
Summing up the analysis of the Shamoon wiper, we can confidently say that both groups use it or its components in their attacks and place them in identical directories. Moreover, the version of Shamoon that became available as a result of the leak was written in C#, whereas the variants of this wiper used in the BlackJack and Twelve attacks were rewritten in Go, further supporting the connection between these groups.
In addition to the connections identified through analyzing the malware samples, we also discovered overlaps in the commands and tools used by both groups.
Below are the commands found in the BlackJack and Twelve group attacks.
Creating scheduled tasks:
BlackJack | Twelve | ||||
|
|
||||
|
|
Clearing event logs:
BlackJack | Twelve | ||||
|
|
As you can see, apart from the names of the executable files, the commands are identical.
The list of publicly available utilities used by the groups also partially overlaps:
BlackJack | Twelve |
Mimikatz PsExec Ngrok PuTTY XenAllPasswordPro Radmin AnyDesk |
Mimikatz PsExec Ngrok PuTTY XenAllPasswordPro chisel BloodHound adPEAS PowerView RemCom CrackMapExec WinSCP |
During our research, we also discovered another activity that closely resembles the ones described above. At this point, we cannot definitively determine which specific group is responsible for this activity; however, the malware samples and procedures clearly indicate that the source is the activity cluster under investigation.
The similarities we found are listed below:
reg:\\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\<GUID>:Actions","`powershell.exe` Copy-Item `\\[DOMAIN]\SYSVOL\[DOMAIN]\SCRIPTS\letsgo.exe` -Destination `C:\ProgramData` |
reg:\\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\<GUID>:Actions","`powershell.exe` Copy-Item `\\[DOMAIN]\SYSVOL\[DOMAIN]\SCRIPTS\enc.exe` -Destination `C:\ProgramData` |
Unknown threat | Twelve | ||||
|
|
||||
|
|
||||
|
|
Also during the investigation of this activity, various artifacts and procedures were discovered that we had not seen in the BlackJack and Twelve attacks:
powershell.exe` -ex bypass -c Get-MpPreference | fl disable* |
Task name | Command line | Description | ||
\run1 |
|
Executing the wiper from the C:\ProgramData folder |
||
\def |
|
Collecting information about disabled Windows Defender features |
cmd.exe /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1710197641.3559299 2>&1 |
The mentioned malware samples, utilities, and command lines were found in the infrastructures of government, telecommunications, and industrial companies in Russia.
Based on our research, we cannot be sure that the same actors are behind the activities of both groups. However, we suspect that the BlackJack and Twelve groups are part of a unified cluster of hacktivist activity aimed at organizations located in Russia.
In this study, we demonstrated that the BlackJack and Twelve groups have similar targets and use similar malware, distributing and executing it using the same methods. At the same time, they are not interested in financial gain but aim to inflict maximum damage on target organizations by encrypting, deleting, and stealing data and resources.
ED5815DDAD8188C198E0E52114173CB6 wip.exe/wiper.exe
5F88A76F52B470DC8E72BBA56F7D7BB2 letsgo.exe
DA30F54A3A14AD17957C88BF638D3436 bj.exe
BF402251745DF3F065EBE2FFDEC9A777 bj.exe
Sysvol\domain\scripts\wip.exe
\\[DOMAIN]\netlogon\wip.exe
C:\ProgramData\wip.exe
Sysvol\domain\scripts\bj.exe
\\[DOMAIN]\netlogon\bj.exe
C:\ProgramData\bj.exe
C:\ProgramData\letsgo.exe
\\[DOMAIN]\SYSVOL\[DOMAIN]\SCRIPTS\letsgo.exe
C:\ProgramData\enc.exe
\\[DOMAIN]\SYSVOL\[DOMAIN]\SCRIPTS\enc.exe
C:\Users\[USER]\Downloads\ngrok-v3-stable-windows-amd64.zip
C:\Program Files\Windows Media Player\ngrok.exe
C:\Users\[USER]\AppData\Local\ngrok\ngrok.yml
\copy
\run1
\go2
\im
\def