The prolific ransomware known as Noberus, BlackCat or ALPHV has undergone a major update, and researchers warn that attackers using the ransomware have also been spotted evolving their tactics by leveraging a new version of the Exmatter data exfiltration tool as well as an information stealer called Eamfo as part of their attack chain.
Noberus, which is coded in Rust and was first seen in November 2021, was developed by a group identified by Symantec as Coreid (also tracked as FIN7 or Carbon Spider). Since then, the ransomware has emerged in attacks across multiple countries, including the U.S., Australia and India, with the FBI saying it had compromised at least 60 entities as of March. Of note, Coreid runs a ransomware-as-a-service program, meaning that Noberus is being distributed by various affiliates that can sometimes explain the different TTPs and attack chains associated with the ransomware.
“There’s no doubt that Coreid is one of the most dangerous and active ransomware developers operating at the moment,” said researchers with the Symantec threat hunter team in a Thursday analysis. “Its continuous development of its ransomware and its affiliate programs indicates that this sophisticated and well-resourced attacker has little intention of going anywhere anytime soon.”
In June, Coreid made sweeping updates to Noberus by including an ARM build for the encryption of non-standard architectures and introducing additional encryption functionality to the Windows build (via rebooting into safe mode). Several updates were also made to the locker component of the ransomware, including the addition of new restart logic and a change that simplifies the Linux encryption process. The threat actors also began indexing stolen data on their data leaks website, meaning that leaks can be searched for by keyword, file type and more.
In August, researchers observed attackers starting to use an updated version of the known Exmatter data exfiltration tool alongside Noberus in ransomware attacks. This malware, initially seen in November 2021 being used alongside the Blackmatter ransomware, is designed to steal files from targeted directories. The newest Exmatter version reduced the number of file types it aims to exfiltrate. It also has added several new functionalities, including the capabilities to build a report listing all processed files, to corrupt processed files, and to self-destruct if executed in a non-corporate environment.
“In addition to this, the malware was extensively rewritten, and even existing features were implemented differently,” said Symantec researchers. “This was possibly a bid to avoid detection. Whether Exmatter is the creation of Coreid or a skilled affiliate of the group is not clear, but its use alongside two different iterations of Coreid’s ransomware is notable.”
Researchers said that at least one Noberus affiliate was observed in late August using information-stealing malware called Eamfo that is designed to steal credentials stored by Veeam backup software, which can store credentials for systems ranging from domain controllers to cloud services. Eamfo has been around since at least August 2021, and researchers said there is evidence that it was previously used by attackers alongside Yanluowang and LockBit ransomware attacks.
“Stealing credentials from Veeam is a known attack technique that can facilitate privilege escalation and lateral movement, providing the attackers with access to more data they can potentially exfiltrate and more machines to encrypt,” said Symantec researchers.