Symantec’s Threat Hunter Team announced Friday that an affiliate of the BlackByte ransomware-as-a-service organization is using the custom data exfiltration tool Infostealer.Exbyte to steal data.
BlackByte is run by a cybercrime group that Symantec called Hecamede. BlackByte flew under the radar until February 2022 when the FBI issued an alert stating that the group had attacked multiple entities in the U.S., including at least three critical infrastructure providers. Symantec refers to both the BlackByte group and the BlackByte ransomware by the same name.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
Following the departure of a number of major ransomware operations such as Conti and Sodinokibi, BlackByte has emerged as one of the ransomware actors to profit from this gap in the market. The fact that actors are now creating custom tools for use in BlackByte ransomware attacks suggests that it may be on the way to becoming one of the dominant ransomware threats. In recent months, BlackByte has become one of the most frequently used payloads in ransomware attacks.
“It’s not necessarily worse than all other ransomware, but it certainly is among the most frequently used ransomware payloads at the moment, along with Quantum, Hive, Noberus and AvosLocker,” said Dick O’Brien, principal intelligence analyst at Symantec’s Threat Hunter Team.
What is the Exbyte ransomware tool?
The Exbyte data exfiltration tool is written in the Go programming language and uploads pilfered files to the Mega.co.nz cloud storage service. When Exbyte executes, it checks to see if it is running in a sandbox; if it detects a sandbox, it will quit running, making it hard to find, said O’Brien.
This routine of checks is quite similar to the routine employed by the BlackByte payload itself, as Sophos recently documented.
Next, Exbyte enumerates all document files on the infected computer, such as .txt, .doc and .pdf files, and saves the full path and file name to %APPDATA%\dummy. The files listed are then uploaded to a folder the malware creates on Mega.co.nz. Credentials for the Mega account used are hard-coded into Exbyte.
Exbyte is not the first custom-developed data exfiltration tool to be linked to a ransomware operation. In November 2021, Symantec discovered Exmatter, an exfiltration tool that was used by the BlackMatter ransomware operation and has since been used in Noberus attacks. Other examples include the Ryuk Stealer tool and StealBit, which is linked to the LockBit ransomware.
What are BlackByte’s tactics, techniques and procedures?
In recent BlackByte attacks investigated by Symantec, the attackers exploited the ProxyShell (CVE-2021- 34473, CVE-2021-34523 and CVE-2021-31207) and ProxyLogon (CVE-2021-26855 and CVE-2021-27065) vulnerabilities in Microsoft Exchange Servers to gain initial access.
Symantec also observed attackers using the publicly available reconnaissance and query tools AdFind, AnyDesk, NetScan and PowerView prior to deploying the ransomware payload.
“Identifying and enumerating these tools matters because their use represents an early stage warning sign that a ransomware attack is in preparation,” said O’Brien.
Recent attacks have used version 2.0 of the BlackByte payload. On execution, the ransomware payload itself appears to download and save debugging symbols from Microsoft. The command is executed directly from the ransomware.
The ransomware then checks the version information of ntoskrnl.exe.BlackByte and then proceeds with the removal of kernel notify routines; the purpose of this is to bypass malware detection and removal products. This functionality closely resembles the techniques leveraged in the EDRSandblast tool.
“It’s hard to gauge how successful [removing kernel notify routines] is, since this is a known technique and vendors will be aware of it and likely introduced mitigations,” said O’Brien. “But it’s probably fair to say that it isn’t useless because, if it were, they wouldn’t be using it.”
BlackByte uses VssAdmin to delete volume shadow copies and resize storage allocation. The ransomware then modifies firewall settings to enable linked connections. Finally, BlackByte injects itself into an instance of svchost.exe, conducts file encryption and then deletes the ransomware binary on disk.
How to protect your organization from BlackByte or mitigate its effects
BlackByte is hard to stop, but it’s not impossible, said O’Brien.
“Each step on the attack is an opportunity to identify and block it,” he said. “A defense in depth strategy is always what works best, where you’re employing multiple detection technologies and don’t have a single point of failure. You need to not only be able to have the ability to identify malicious files but also identify malicious behaviors, since many attackers will use legitimate information.”
For the latest protection updates, please read the Symantec protection bulletin.