A BlackByte ransomware affiliate is utilizing a brand new customized information stealing device referred to as ‘ExByte’ to steal information from compromised Windows units shortly.
Data exfiltration is believed to be one of the vital features in double-extortion assaults, with BleepingComputer advised that corporations are extra generally paying ransom calls for to stop the leak of information than to obtain a decryptor.
Due to this, ransomware operations, together with ALPHV and LockBit, are continually engaged on enhancing their information theft instruments.
At the identical time, different risk actors, like Karakurt, do not even trouble to encrypt native copies, solely specializing in information exfiltration.
The Exbyte information exfiltration device
Exbyte was found by safety researchers at Symantec, who say that the risk actors use the Go-based exfiltration device to add stolen recordsdata on to the Mega cloud storage service.
Upon execution, the device performs anti-analysis checks to find out if it is working on a sandboxed atmosphere and checks for debuggers and anti-virus processes.
The processes Exbyte checks are:
- MegaDumper 1.0 by CodeCracker / SnD
- Import reconstructor
- x64dbg
- x32dbg
- OLLYDBG
- WinDbg
- The Interactive Disassembler
- Immunity Debugger – [CPU]
Also, the malware checks for the presence of the next DLL recordsdata:
- avghooka.dll
- avghookx.dll
- sxin.dll
- sf2.dll
- sbiedll.dll
- snxhk.dll
- cmdvrt32.dll
- cmdvrt64.dll
- wpespy.dll
- vmcheck.dll
- pstorec.dll
- dir_watch.dll
- api_log.dll
- dbghelp.dll
The BlackByte ransomware binary additionally implements these identical exams, however the exfiltration device must run them independently since information exfiltration takes place earlier than file encryption.
If the exams are clear, Exbyte enumerates all doc recordsdata on the breached system and uploads them to a newly-created folder on Mega utilizing hardcoded account credentials.
“Next, Exbyte enumerates all doc recordsdata on the contaminated pc, corresponding to .txt, .doc, and .pdf recordsdata, and saves the total path and file title to %APPDATApercentdummy,” explains the report by Symantec.
“The recordsdata listed are then uploaded to a folder the malware creates on Mega.co.nz. Credentials for the Mega account used are hardcoded into Exbyte.”
BlackByte continues to be going robust
BlackByte launched operations in the summer season of 2021, and by February 2022, the gang had breached many non-public and public organizations, together with important infrastructure within the United States.
Symantec analysts report that latest BlackByte assaults depend on exploiting final yr’s ProxyShell and ProxyLogon flaw units in Microsoft Exchange servers.
Moreover, the intruders use instruments corresponding to AdFind, AnyDesk, NetScan, and PowerView to maneuver laterally.
Recent assaults make use of model 2.0 of the ransomware, eradicating Kernel Notify Routines to bypass EDR protections, as Sophos analyzed in an October report.
Like different ransomware operations, BlackByte deletes quantity shadow copies to stop straightforward information restoration, modifies firewall settings to open up all distant connections, and ultimately injects itself in a “scvhost.exe” occasion for the encryption section.
According to an Intel 471 report revealed yesterday, in Q3 2022, BlackByte focused primarily organizations in Africa, more likely to keep away from scary Western legislation enforcement.