28/09/2023

Tech Update

The Best Tech Research

BlackCat ransomware’s data exfiltration tool gets an upgrade

BlackCat ransomware’s data exfiltration tool gets an upgrade

BlackCat ransomware’s data exfiltration tool gets an upgrade

The BlackCat ransomware (aka ALPHV) is not showing any signs of slowing down, and the hottest example of its evolution is a new version of the gang’s knowledge exfiltration instrument utilized for double-extortion attacks.

BlackCat is regarded a successor to Darkside and BlackMatter and is a person of the most sophisticated and technically advanced Ransomware-as-a-provider (RaaS) functions.

Safety scientists at Symantec report that the developer of BlackCat, the very first Rust-based mostly ransomware pressure, frequently improves and enriches the malware with new options.

Currently, the emphasis seems to have been on the resource made use of for exfiltrating info from compromised programs, an crucial prerequisite for conducting double extortion assaults.

Named “Exmatter,” the instrument was utilized considering the fact that BlackCat’s start in November 2021 and was closely up to date in August 2022, that includes the adhering to alterations:

  • Restrict form of data files to exfiltrate to: PDF, DOC, DOCX, XLS, PNG, JPG, JPEG, TXT, BMP, RDP, SQL, MSG, PST, ZIP, RTF, IPT, and DWG.
  • Add FTP as an exfiltration alternative in addition to SFTP and WebDav.
  • Offer choice to make a report listing all processed files
  • Add “Eraser” element providing the option to corrupt processed information
  • Include “Self-destruct” configuration possibility to stop and delete alone if executed in non-legitimate environments.
  • Remove guidance for Socks5
  • Include solution for GPO deployment

In addition to the expanded capabilities, the hottest Exmatter model has long gone by means of hefty code refactoring implementing present capabilities far more stealthily to evade detection.

Yet another modern addition to BlackCat’s info-stealing potential is the deployment of a new malware termed “Eamfo,” which explicitly targets credentials stored in Veeam backups.

This software package is generally used for storing qualifications to domain controllers and cloud services so that the ransomware actors can use them for further infiltration and lateral motion.

Eamfo connects to the Veeam SQL database and steals the backup qualifications with the following SQL query:

select [user_name],[password],The BlackCat ransomware (aka ALPHV) just isn't displaying any symptoms of slowing down, and the most up-to-date illustration of its evolution is a new version of the gang's facts exfiltration tool utilized for double-extortion assaults. [...] FROM [VeeamBackup].[dbo].[Credentials]

When the credentials are extracted, Eamfo decrypts them and displays them to the risk actor.

The researchers take note that the facts-stealing malware has been applied by other ransomware gangs in the previous, including Monti, Yanluowang, and LockBit.

Finally, Symantec has recognized that the BlackCat procedure has been noticed employing an older anti-rootkit utility called to terminate antivirus processes.

Remaining at the leading

In June 2022, BlackCat released guidance for encrypting documents on ARM architectures and a method to encrypt in Windows secure manner with or with no networking.

At that time, the gang also created a dedicated on-line resource where people could research for their stolen information to enhance the stress on breached companies.

It really is apparent that BlackCat consistently evolves with new resources, enhancements, and extortion methods to make the RaaS operation far more powerful and successful.

Symantec reviews that BlackCat’s operators expel affiliates who are not as prolific as they would like, suggesting they look for collaboration with decrease-tier RaaS plans.

Researchers have also seen ex-Conti affiliates transferring to BlackCat/ALPHV after the Conti ransomware gang shut down their procedure.

This shutdown has led to an inflow of knowledgeable attackers who ended up rapidly equipped to start new attacks underneath the new procedure.