BlackByte is utilizing Exbyte, a brand new {custom} exfiltration software, to steal information. Learn shield your group from this ransomware.
Symantec’s Threat Hunter Team introduced Friday that an affiliate of the BlackByte ransomware-as-a-service group is utilizing the {custom} information exfiltration software Infostealer.Exbyte to steal information.
BlackByte is run by a cybercrime group that Symantec referred to as Hecamede. BlackByte flew below the radar till February 2022 when the FBI issued an alert stating that the group had attacked a number of entities within the U.S., together with a minimum of three essential infrastructure suppliers. Symantec refers to each the BlackByte group and the BlackByte ransomware by the identical title.
SEE: Password breach: Why popular culture and passwords don’t combine (free PDF) (TechRepublic)
Following the departure of a lot of main ransomware operations equivalent to Conti and Sodinokibi, BlackByte has emerged as one of many ransomware actors to revenue from this hole available in the market. The undeniable fact that actors at the moment are creating {custom} instruments to be used in BlackByte ransomware assaults means that it could be on the best way to changing into one of many dominant ransomware threats. In current months, BlackByte has grow to be one of the vital ceaselessly used payloads in ransomware assaults.
“It’s not necessarily worse than all other ransomware, but it certainly is among the most frequently used ransomware payloads at the moment, along with Quantum, Hive, Noberus and AvosLocker,” mentioned Dick O’Brien, principal intelligence analyst at Symantec’s Threat Hunter Team.
What is the Exbyte ransomware software?
The Exbyte information exfiltration software is written within the Go programming language and uploads pilfered information to the Mega.co.nz cloud storage service. When Exbyte executes, it checks to see whether it is working in a sandbox; if it detects a sandbox, it can give up working, making it arduous to seek out, mentioned O’Brien.
This routine of checks is kind of much like the routine employed by the BlackByte payload itself, as Sophos lately documented.
Next, Exbyte enumerates all doc information on the contaminated pc, equivalent to .txt, .doc and .pdf information, and saves the total path and file title to %APPDATApercentdummy. The information listed are then uploaded to a folder the malware creates on Mega.co.nz. Credentials for the Mega account used are hard-coded into Exbyte.
Exbyte shouldn’t be the primary custom-developed information exfiltration software to be linked to a ransomware operation. In November 2021, Symantec found Exmatter, an exfiltration software that was utilized by the BlackMatter ransomware operation and has since been utilized in Noberus assaults. Other examples embody the Ryuk Stealer software and StealBit, which is linked to the LockBit ransomware.
What are BlackByte’s techniques, strategies and procedures?
In current BlackByte assaults investigated by Symantec, the attackers exploited the ProxyShell (CVE-2021- 34473, CVE-2021-34523 and CVE-2021-31207) and ProxyLogon (CVE-2021-26855 and CVE-2021-27065) vulnerabilities in Microsoft Exchange Servers to achieve preliminary entry.
Symantec additionally noticed attackers utilizing the publicly obtainable reconnaissance and question instruments AdFind, AnyDesk, NetScan and PowerView previous to deploying the ransomware payload.
“Identifying and enumerating these tools matters because their use represents an early stage warning sign that a ransomware attack is in preparation,” mentioned O’Brien.
Recent assaults have used model 2.0 of the BlackByte payload. On execution, the ransomware payload itself seems to obtain and save debugging symbols from Microsoft. The command is executed immediately from the ransomware.
The ransomware then checks the model data of ntoskrnl.exe.BlackByte after which proceeds with the removing of kernel notify routines; the aim of that is to bypass malware detection and removing merchandise. This performance carefully resembles the strategies leveraged within the EDRSandblast software.
“It’s hard to gauge how successful [removing kernel notify routines] is, since this is a known technique and vendors will be aware of it and likely introduced mitigations,” mentioned O’Brien. “But it’s probably fair to say that it isn’t useless because, if it were, they wouldn’t be using it.”
BlackByte makes use of VssAdmin to delete quantity shadow copies and resize storage allocation. The ransomware then modifies firewall settings to allow linked connections. Finally, BlackByte injects itself into an occasion of svchost.exe, conducts file encryption after which deletes the ransomware binary on disk.
How to guard your group from BlackByte or mitigate its results
BlackByte is difficult to cease, but it surely’s not unimaginable, mentioned O’Brien.
“Each step on the attack is an opportunity to identify and block it,” he mentioned. “A defense in depth strategy is always what works best, where you’re employing multiple detection technologies and don’t have a single point of failure. You need to not only be able to have the ability to identify malicious files but also identify malicious behaviors, since many attackers will use legitimate information.”
For the most recent safety updates, please learn the Symantec safety bulletin.