Researchers have uncovered a new custom data exfiltration tool being used by at least one BlackByte affiliate in their ransomware attacks.
Researchers with Symantec on Friday said that they discovered the tool, Exbyte, in September, and that it has been utilized in at least two BlackByte ransomware attacks to date. While the tool has been used in conjunction with BlackByte attacks, it’s still too early to say whether Exbyte was developed by the group behind BlackByte or developed by another threat actor, said researchers.
“In terms of functionality, it’s pretty similar to other custom exfiltration tools we’ve seen but there are a few interesting details,” said Dick O’Brien, principal intelligence analyst for the Symantec Threat Hunter Team. “Unlike similar tools, this one is written in Go. It has somewhat more elaborate anti-detection features built in, such as the checks it runs for sandboxed environments or debugging or anti-virus software. It’s also a little bit more customizable and each example we’ve seen has been pre-configured for the victim, with files uploaded to a specified file path for that organization.”
After it has been executed, Exbyte checks for any indicators that it is running in a sandbox environment by calling the IsDebuggerPresent and CheckRemoteDeBuggerPresent APIs, as well as checking for running processes from an array of applications, antivirus and sandbox-related files. The tool then enumerates document files on the infected computers (including .txt, .doc and .pdf files) and uploads them to a folder created on Mega[.]co[.]nz with credentials for the Mega account hardcoded into Exbyte.
“The fact that actors are now creating custom tools for use in BlackByte attacks suggests that it may be on the way to becoming one of the dominant ransomware threats.”
Exbyte joins a number of custom data exfiltration tools being used by ransomware families, including the Exmatter exfiltration tool discovered in November 2021 used by BlackMatter ransomware attackers, and StealBit, which has been linked to the LockBit ransomware. The main motivation for creating these new customized exfiltration tools is increased speed for ransomware attacks, said O’Brien.
“There are lots of ways to potentially exfiltrate data that don’t require a custom tool but attackers are always looking at ways to reduce their ‘dwell time,’ the time between the initial intrusion and completion of encryption,” said O’Brien. “The longer it takes, the greater the risk of discovery. Automating one aspect of the attack will potentially speed things up.”
The BlackByte ransomware-as-a-service has previously been highlighted by the FBI due to its targeting of organizations across at least three U.S. critical infrastructure sectors.
As previously seen by the FBI, Symantec researchers said that BlackByte actors have been relying on known Microsoft Exchange Server vulnerabilities - including ProxyShell and ProxyLogon - to gain initial access. Researchers said attackers also used an array of tools, including AdFind, AnyDesk, NetScan and PowerView, before deploying version 2.0 of the BlackByte payload.
“Following the departure of a number of major ransomware operations such as Conti and Sodinokibi, BlackByte has emerged as one of the ransomware actors to profit from this gap in the market,” said Symantec researchers. “The fact that actors are now creating custom tools for use in BlackByte attacks suggests that it may be on the way to becoming one of the dominant ransomware threats.”