Profiles of Intruders: menuPass and ALPHV/BlackCat
Within the realms of threat intelligence, the intricate structures of menuPass/APT10 Umbrella underscore a fundamental challenge: threat actors are not always neatly categorized or uniform.
ALPHV/BlackCat introduces its own complexities to the enigma. At times, it is characterized as a ransomware utilizing Rust and offered as a service, while in other instances, it is identified as the threat actor group overseeing the aforementioned as-a-service provision.
Placed firmly in the latter category by MITRE Engenuity, ALPHV/BlackCat emerged as a ransomware-as-a-service operation in 2021, directing its assaults towards various industries with a versatile ransomware strain capable of launching cross-platform attacks on systems running Windows, Linux, and VMware.
Drawing from both menuPass and ALPHV/BlackCat, MITRE Engenuity amalgamated “signature behaviors” to execute a “multi-subsidiary compromise with overlapping operations emphasizing defense evasion, leverage of trusted relations, data encryption, and hindering system recovery.”
From menuPass, the assessment encompassed a blend of living-off-the-land tactics, bespoke, fileless malware, anti-analysis maneuvers, and exploitation of trusted third-party associations for credential access. It also incorporated defense evasion tactics from ALPHV/BlackCat, alongside data exfiltration, encryption, destruction, and disruption of system recovery.
Their Current Status
Although the TTPs employed in the MITRE Engenuity managed service evaluation are well-documented and known, threat actors are not stagnant beings. Trendâ„¢ Research continues to monitor the activities of both menuPass and ALPHV/BlackCat.
Functioning as a state-sponsored cyber espionage entity, menuPass (APT10 Umbrella) continually adjusts its targets in accordance with the interests of the nation-states funding them. Its primary objectives typically revolve around information brokerage and the pilfering of personally identifiable information alongside related undertakings. In 2018, reports indicated that members of the group were indicted, yet the group resurfaced, making waves during the pandemic with apparent (unsuccessful) infiltration attempts on Indian vaccine producers before participating in the A41APT multi-industry data breach operation.
Due to the countless subgroups and splinter factions associated with menuPass, it proves challenging to link any specific campaign to the overarching entity or definitively attribute a single motive, toolset, or TTP.
The ALPHV/BlackCat group, which inspired the attack methodology utilized in this year’s managed services evaluation by MITRE Engenuity, has disbanded, dissolving amidst internal strife following a ransom payment made by Change Healthcare in the winter of 2024. Nonetheless, ransomware threat actor groups have a tendency to disband, regroup, and resurface given the lucrative nature of ransomware operations.
Overall, threat actors’ TTPs are converging as a response to evolving cybersecurity practices and advancing security methodologies.
The Crucial Role of Threat Intelligence
To counter adversaries like menuPass and ALPHV/BlackCat, a combination of cutting-edge cybersecurity tools and superior threat intelligence is indispensable. The significance of the latter component cannot be emphasized enough. Understanding the origin of a threat, its likely motivations, and potential future actions can enhance decision-making processes for tracking and thwarting threats.
The Trend Microâ„¢ Managed Detection and Response (MDR) service leverages the Trend Vision Oneâ„¢ platform, enriched by Trend Research threat intelligence and insights from the Trend Microâ„¢ Zero-Day Initiativeâ„¢ (ZDI). While Trend Vision One furnishes automated detection and response capabilities, the expertise in deciphering threat behaviors and formulating appropriate responses is provided by Trend Research.
Besides advanced persistent threats and ransomware, Trend Research’s current focal points encompass fortifying AI, cloud, and network security threats, as well as comprehending the evolving risk landscape overall – its composition and transformations. We are dedicated to advancing cybersecurity knowledge to deliver the most effective managed security services and propel the evolution of security technologies.
What Lies Ahead
For more insights on our Trend MDR, XDR, and related topics, explore the following resources:
About Author
