Jump to content
  • BlackByte ransomware uses new data theft tool for double-extortion

    alf9872000

    • 432 views
    • 3 minutes
     Share


    • 432 views
    • 3 minutes

    A BlackByte ransomware affiliate is using a new custom data stealing tool called 'ExByte' to steal data from compromised Windows devices quickly.

     

    Data exfiltration is believed to be one of the most important functions in double-extortion attacks, with BleepingComputer told that companies are more commonly paying ransom demands to prevent the leak of data than to receive a decryptor.

     

    Due to this, ransomware operations, including ALPHV and LockBit, are constantly working on improving their data theft tools.

     

    At the same time, other threat actors, like Karakurt, don't even bother to encrypt local copies, solely focusing on data exfiltration.

    The Exbyte data exfiltration tool

    Exbyte was discovered by security researchers at Symantec, who say that the threat actors use the Go-based exfiltration tool to upload stolen files directly to the Mega cloud storage service.

     

    Upon execution, the tool performs anti-analysis checks to determine if it's running on a sandboxed environment and checks for debuggers and anti-virus processes.

     

    The processes Exbyte checks are:

    • MegaDumper 1.0 by CodeCracker / SnD
    • Import reconstructor
    • x64dbg
    • x32dbg
    • OLLYDBG
    • WinDbg
    • The Interactive Disassembler
    • Immunity Debugger – [CPU]

     

    Also, the malware checks for the presence of the following DLL files:

    • avghooka.dll
    • avghookx.dll
    • sxin.dll
    • sf2.dll
    • sbiedll.dll
    • snxhk.dll
    • cmdvrt32.dll
    • cmdvrt64.dll
    • wpespy.dll
    • vmcheck.dll
    • pstorec.dll
    • dir_watch.dll
    • api_log.dll
    • dbghelp.dll

     

    The BlackByte ransomware binary also implements these same tests, but the exfiltration tool needs to run them independently since data exfiltration takes place before file encryption.

     

    If the tests are clean, Exbyte enumerates all document files on the breached system and uploads them to a newly-created folder on Mega using hardcoded account credentials.

     

    "Next, Exbyte enumerates all document files on the infected computer, such as .txt, .doc, and .pdf files, and saves the full path and file name to %APPDATA%\dummy," explains the report by Symantec.

     

    "The files listed are then uploaded to a folder the malware creates on Mega.co.nz. Credentials for the Mega account used are hardcoded into Exbyte."

     

    BlackByte is still going strong

     

    BlackByte launched operations in the summer of 2021, and by February 2022, the gang had breached many private and public organizations, including critical infrastructure in the United States.

     

    Symantec analysts report that recent BlackByte attacks rely on exploiting last year's ProxyShell and ProxyLogon flaw sets in Microsoft Exchange servers.

     

    Moreover, the intruders use tools such as AdFind, AnyDesk, NetScan, and PowerView to move laterally.

     

    Recent attacks employ version 2.0 of the ransomware, removing Kernel Notify Routines to bypass EDR protections, as Sophos analyzed in an October report.

     

    Like other ransomware operations, BlackByte deletes volume shadow copies to prevent easy data restoration, modifies firewall settings to open up all remote connections, and eventually injects itself in a "scvhost.exe" instance for the encryption phase.

     

    network-settings.png

    BlackByte's commands to configure firewall on host (Symantec)

     

    According to an Intel 471 report published yesterday, in Q3 2022, BlackByte targeted primarily organizations in Africa, likely to avoid provoking Western law enforcement.

     


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...