Crimeware reports

From 12 to 21: how we discovered connections between the Twelve and BlackJack groups

While analyzing attacks on Russian organizations, our team regularly encounters overlapping tactics, techniques, and procedures (TTPs) among different cybercrime groups, and sometimes even shared tools. We recently discovered one such overlap: similar tools and tactics between two hacktivist groups – BlackJack and Twelve, which likely belong to a single cluster of activity.

In this report, we will provide information about the current procedures, legitimate tools, and malware used by the BlackJack group, and demonstrate their similarity to artifacts found in Twelve’s attacks. We will also analyze another recently discovered activity that has much in common with the activity of the potential cluster.

Who are BlackJack?

BlackJack is a hacktivist group that emerged at the end of 2023, targeting companies based in Russia. In their Telegram channel, the group states that it aims to find vulnerabilities in the networks of Russian organizations and government institutions.

As of June 2024, BlackJack has publicly claimed responsibility for over a dozen attacks. Our telemetry also contains information on other unpublicized attacks, where indicators suggest BlackJack’s involvement.

The group only uses freely available and open-source software, such as the SSH client PuTTY or the wiper Shamoon, which has been available on GitHub for several years. This confirms that the group operates as hacktivists and lacks the resources typical of large APT groups.

Malware and legitimate tools in BlackJack attacks

Wiper – Shamoon

BlackJack uses a version of the Shamoon wiper written in Go in their attacks. Static analysis helped us extract the following characteristic strings:

Strings from the wiper

Strings from the wiper

During our research, we found Shamoon samples in the following locations:

Ransomware – LockBit

In addition to the wiper, BlackJack also uses a leaked version of the LockBit ransomware to harm their victims.

Verdicts with which BlackJack's version of LockBit was detected, source: Kaspersky Threat Intelligence Portal (TIP)

Verdicts with which BlackJack’s version of LockBit was detected, source: Kaspersky Threat Intelligence Portal (TIP)

We found the ransomware in the same directories as the wiper:

The network directories for placing the malware were not chosen at random. This allows the attackers to spread their samples across the victim’s infrastructure and later place them in C:\ProgramData\ for further execution in the system.

To launch LockBit, the attackers use scheduled tasks containing the following command line (the 32-character password may vary depending on the host or victim):

The ransom note only contains the name of the group:

Contents of the LockBit ransom note

Contents of the LockBit ransom note

This confirms that the group is not aiming for financial gain, but rather to cause damage to the compromised organization.

Ngrok

To maintain persistent access to compromised victim resources, the attackers use tunneling with the common ngrok utility. We found the utility and its configuration file in the following directories:

Paths Description
Archive containing executable and configuration files.
Ngrok executable file.
Configuration file containing an authentication token and other information.

Here is a list of commands related to ngrok execution:

Commands Description
Ngrok authentication process.
Launches the ngrok.exe process and creates a TCP tunnel on port 3389 (RDP).
Alternative for creating a TCP tunnel on port 3389 (RDP).
Creates a UDP tunnel on port 3389 (RDP).

Radmin, AnyDesk, PuTTY

To ensure remote access to the system, BlackJack installs various remote access tools (RATs). Judging by the incidents we studied, the attackers initially attempted to use the Radmin utility, but all the external connections we observed were made through AnyDesk.

During the RAT installation, the attackers created the following services:

Service name Launch commands
Radmin Server V3
raddrvv3
AnyDesk Service

Additionally, the popular SSH client PuTTY was used to connect to certain hosts within the infrastructure.

Connection with the Twelve group

The malware and legitimate tools described above significantly overlap with the arsenal of the hacktivist group Twelve. This group also relies on publicly available software and does not use proprietary tools in its attacks.

Most of the connections and overlaps between the two groups were discovered through Kaspersky Security Network (KSN) telemetry and Kaspersky Threat Intelligence solutions. KSN telemetry is anonymized data from users of our products who have consented to share and process this information.

Malware sample similarities

Let’s first examine the similarities between the ransomware and wiper samples from the BlackJack and Twelve groups. Below is the information from the Kaspersky Threat Intelligence Portal (TIP) on the LockBit ransomware file discovered while investigating the BlackJack attacks:

BlackJack file information

BlackJack file information

The sample is named bj.exe, presumably an abbreviation for the BlackJack group. Among other things, the TIP page shows a list of similar files compiled using the Similarity technology, which identifies files with similar patterns. Although the sample used by the hacktivists was created with the leaked LockBit builder, Similarity first identifies the most closely related files. Note the first hash in the list: 39B91F5DFBBEC13A3EC7CCE670CF69AD.

List of similar files

List of similar files

Checking this hash on the Threat Intelligence Portal reveals that it was mentioned in our recent investigation into the Twelve group.

This suggests that the two groups use similar LockBit samples. Additionally, analysis of the configuration of the two samples (BlackJack and Twelve) showed that their exclusion lists (files, directories, and extensions to leave unencrypted) are identical.

Just like the BlackJack’s LockBit sample, the Twelve group’s ransomware also has a list of similar files.

List of similar files

List of similar files

Upon checking one of them (underlined in red on the screenshot), we found that the file was also named bj.exe. This means that it is another instance of the BlackJack group’s ransomware, further indicating that the two groups use nearly identical LockBit samples.

Below is a list of paths where LockBit samples were found during the investigation of incidents related to the BlackJack and Twelve groups:

BlackJack Twelve
\\[DOMAIN]\netlogon\ \\[DOMAIN]\netlogon\
C:\ProgramData\ C:\ProgramData\
Sysvol\domain\scripts

Summing up the ransomware analysis, we can draw the following conclusions:

  • Both groups use similar LockBit ransomware samples;
  • The paths where these samples were found are almost identical.

Let’s continue searching for further connections.

Wiper reuse

The study of wiper samples from incidents involving the BlackJack and Twelve groups also revealed similarities between them.

Both wipers overwrite the MBR record with almost identical placeholder strings:

MBR placeholder of the BlackJack wiper

MBR placeholder of the BlackJack wiper

MBR placeholder of the Twelve wiper

MBR placeholder of the Twelve wiper

By analyzing the BlackJack wiper on the Threat Intelligence Portal, we found that in some cases it was extracted from the following archive:

Information about the archive containing the BlackJack wiper

Information about the archive containing the BlackJack wiper

Examining the archive, we found the Chaos ransomware – 646A228C774409C285C256A8FAA49BDE:

Ransomware file in the archive

Ransomware file in the archive

Moreover, this file was mentioned in our report on the Twelve group. That is, malware from both groups is distributed in the same archive.

Checking the file names and paths, we discovered a familiar network directory \sysvol\domain\script.

File names and paths

File names and paths

In addition, during our investigation of attacks carried out by the Twelve group, we also found the use of Shamoon-based wipers. Moreover, according to KSN data, a specific variant of Shamoon, which was involved in BlackJack group attacks, was also seen in some Twelve attacks.

Similar to the analysis of the LockBit ransomware, we decided to study the paths where the wipers were found in incidents related to the BlackJack and Twelve groups. As you can see from the table below, these paths are identical:

BlackJack Twelve
Sysvol\domain\scripts Sysvol\domain\scripts
\\[DOMAIN]\netlogon\ \\[DOMAIN]\netlogon\
C:\ProgramData\ C:\ProgramData\

Summing up the analysis of the Shamoon wiper, we can confidently say that both groups use it or its components in their attacks and place them in identical directories. Moreover, the version of Shamoon that became available as a result of the leak was written in C#, whereas the variants of this wiper used in the BlackJack and Twelve attacks were rewritten in Go, further supporting the connection between these groups.

Familiar commands and utilities

In addition to the connections identified through analyzing the malware samples, we also discovered overlaps in the commands and tools used by both groups.

Below are the commands found in the BlackJack and Twelve group attacks.

Creating scheduled tasks:

BlackJack Twelve

Clearing event logs:

BlackJack Twelve

As you can see, apart from the names of the executable files, the commands are identical.

The list of publicly available utilities used by the groups also partially overlaps:

BlackJack Twelve
Mimikatz
PsExec
Ngrok
PuTTY
XenAllPasswordPro
Radmin
AnyDesk
Mimikatz
PsExec
Ngrok
PuTTY
XenAllPasswordPro
chisel
BloodHound
adPEAS
PowerView
RemCom
CrackMapExec
WinSCP

New activity

During our research, we also discovered another activity that closely resembles the ones described above. At this point, we cannot definitively determine which specific group is responsible for this activity; however, the malware samples and procedures clearly indicate that the source is the activity cluster under investigation.

The similarities we found are listed below:

  1. The discovered wiper contains the characteristic strings we saw in the Twelve and BlackJack wipers and also creates a similar MBR record.
  2. The wiper is spread through the sysvol network directory and saved using a scheduled task, which copies it to that same C:\ProgramData directory.
  3. As in the BlackJack and Twelve attacks, before wiping data with the wiper, the attackers launch the ransomware ( enc.exe), which is also copied from the network folder to C:\ProgramData:
  4. As in Twelve group attacks, the execution of the wiper, as well as copying the wiper and ransomware from the network directory to the C:\ProgramData folder, are performed using scheduled tasks:
Unknown threat Twelve

Also during the investigation of this activity, various artifacts and procedures were discovered that we had not seen in the BlackJack and Twelve attacks:

  1. Using the PowerShell cmdlet Get-MpPreference to gather information about disabled Windows Defender features.
  2. Creating scheduled tasks:
    Task name Command line Description
    \run1 Executing the wiper from the
    C:\ProgramData folder
    \def Collecting information about disabled
    Windows Defender features
  3. Using WMIExec for lateral movement into the root directory.

Victims

The mentioned malware samples, utilities, and command lines were found in the infrastructures of government, telecommunications, and industrial companies in Russia.

Attribution

Based on our research, we cannot be sure that the same actors are behind the activities of both groups. However, we suspect that the BlackJack and Twelve groups are part of a unified cluster of hacktivist activity aimed at organizations located in Russia.

Conclusion

In this study, we demonstrated that the BlackJack and Twelve groups have similar targets and use similar malware, distributing and executing it using the same methods. At the same time, they are not interested in financial gain but aim to inflict maximum damage on target organizations by encrypting, deleting, and stealing data and resources.

Indicators of compromise

Wiper – Shamoon

ED5815DDAD8188C198E0E52114173CB6                    wip.exe/wiper.exe
5F88A76F52B470DC8E72BBA56F7D7BB2               letsgo.exe

Ransomware – LockBit

DA30F54A3A14AD17957C88BF638D3436                 bj.exe
BF402251745DF3F065EBE2FFDEC9A777                  bj.exe

File paths

Sysvol\domain\scripts\wip.exe
\\[DOMAIN]\netlogon\wip.exe
C:\ProgramData\wip.exe
Sysvol\domain\scripts\bj.exe
\\[DOMAIN]\netlogon\bj.exe
C:\ProgramData\bj.exe
C:\ProgramData\letsgo.exe
\\[DOMAIN]\SYSVOL\[DOMAIN]\SCRIPTS\letsgo.exe
C:\ProgramData\enc.exe
\\[DOMAIN]\SYSVOL\[DOMAIN]\SCRIPTS\enc.exe
C:\Users\[USER]\Downloads\ngrok-v3-stable-windows-amd64.zip
C:\Program Files\Windows Media Player\ngrok.exe
C:\Users\[USER]\AppData\Local\ngrok\ngrok.yml

Scheduled task names

\copy
\run1
\go2
\im
\def

From 12 to 21: how we discovered connections between the Twelve and BlackJack groups

Your email address will not be published. Required fields are marked *

 

Reports

BlindEagle flying high in Latin America

Kaspersky shares insights into the activity and TTPs of the BlindEagle APT, which targets organizations and individuals in Colombia, Ecuador, Chile, Panama and other Latin American countries.

APT trends report Q2 2024

The report features the most significant developments relating to APT groups in Q2 2024, including the new backdoor in Linux utility XZ, a new RAT called SalmonQT, and hacktivist activity.

Subscribe to our weekly e-mails

The hottest research right in your inbox