BlackByte uses Exbyte, a new custom exfiltration tool, to steal data. Learn how to protect your organization from this ransomware.
Symantec’s Threat Hunter team announced Friday that an affiliate of BlackByte ransomware-as-a-service organization uses custom data exfiltration tool Infostealer.Exbyte to steal data.
BlackByte is run by a cybercrime group called Symantec Hecamede. BlackByte flew under the radar until February 2022 when the FBI has issued a warning stating that the group had attacked multiple entities in the US, including at least three critical infrastructure providers. Symantec refers to both the BlackByte group and the BlackByte ransomware of the same name.
TO SEE: Password Breach: Why Pop Culture and Passwords Don’t Mix (Free PDF) (TechRepublic)
After the departure of several major ransomware operations like Conti and Sodinokibi, BlackByte has emerged as one of the ransomware actors to take advantage of this gap in the market. The fact that actors are now creating custom tools for use in BlackByte ransomware attacks suggests that it is on its way to becoming one of the dominant ransomware threats. In recent months, BlackByte has become one of the most widely used payloads in ransomware attacks.
“It’s not necessarily worse than any other ransomware, but it’s certainly one of the most widely used ransomware payloads right now, along with Quantum, Hive, Noberus and AvosLocker,” said Dick O’Brien, principal intelligence analyst at Symantec’s Threat Hunter Team. .
What is the Exbyte ransomware tool?
The Exbyte data exfiltration tool is written in the Go programming language and uploads stolen files to the Mega.co.nz cloud storage service. When Exbyte is run, it checks to see if it’s running in a sandbox; if it detects a sandbox, it will stop spinning, making it hard to find, O’Brien said.
This routine of checks is very similar to the routine used by the BlackByte payload itself, such as: Sophos recently documented.
Then Exbyte lists all document files on the infected computer, such as .txt, .doc, and .pdf files, and stores the full path and file name in %APPDATA%\dummy. The listed files are then uploaded to a folder that the malware creates on Mega.co.nz. Credentials for the Mega account used are hard coded in Exbyte.
Exbyte is not the first custom data exfiltration tool associated with a ransomware operation. In November 2021, Symantec discovered Exmatter, an exfiltration tool that was used by the BlackMatter ransomware operation and has been used in Noberus attacks ever since. Other examples include the Ryuk Stealer tool and StealBit, which is associated with the LockBit ransomware.
What are BlackByte’s tactics, techniques and procedures?
In recent BlackByte attacks investigated by Symantec, the attackers exploited the ProxyShell (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) and ProxyLogon (CVE-2021-26855 and CVE) 2021-27065) vulnerabilities in Microsoft Exchange Servers to get the first access.
Symantec also observed that attackers used the publicly available exploration and query tools AdFind, AnyDesk, NetScan, and PowerView before deploying the ransomware payload.
“Identifying and inventorying these tools is important because using them is an early warning sign that a ransomware attack is pending,” said O’Brien.
Recent attacks have used version 2.0 of the BlackByte payload. When executed, the ransomware payload appears to download and store debug symbols from Microsoft itself. The command is executed directly from the ransomware.
The ransomware then checks the version information of ntoskrnl.exe.BlackByte and then proceeds to remove the kernel notification routines; its purpose is to bypass malware detection and removal products. This functionality is very similar to the techniques used in the EDRSandblast tool.
“It is difficult to estimate how successful [removing kernel notify routines] is a known technique and sellers will be aware of it and likely introduce solutions,” O’Brien said. “But it’s probably fair to say it’s not useless, because if it were, it would be they don’t use it.”
BlackByte uses VssAdmin to delete volume shadow copies and resize the storage allocation. The ransomware then modifies firewall settings to allow linked connections. Finally, BlackByte injects itself into an instance of svchost.exe, performs file encryption, and then deletes the ransomware binary on disk.
How can you protect your organization from BlackByte or mitigate its effects?
BlackByte is hard to stop, but it’s not impossible, O’Brien said.
“Each step in the attack is an opportunity to identify and block it,” he said. “A deep defense strategy always works best when you use multiple detection technologies and don’t have a single point of failure. You should not only be able to identify malicious files, but also identify malicious behavior as many attackers will use legitimate information.”
For the latest security updates, read the: Symantec Security Bulletin.
