- Threat Hunter Team has discovered that at least one affiliate of the BlackByte ransomware operation has begun using a custom data exfiltration tool.
- The malware is designed to expedite the theft of data from the victim’s network and upload it to an external server.
- The Exbyte exfiltration tool is written in Go and designed to upload stolen files to the Mega.co.nz cloud storage service.
Symantec’s Threat Hunter Team announced that they have discovered that the notorious BlackByte ransomware gang started using a custom data exfiltration tool during their attacks. The malware, named Infostealer.Exbyte, is designed to expedite the theft of data from a network and upload it to an external server.
Infostealer.Exbyte
The new data exfiltration tool is written in Go language and designed to upload stolen files to Mega.co.nz, a cloud storage service. Once executed, Exbyte performs various checks for indicators that it may be running in a sandboxed environment first, which makes it harder to detect and analyze. It uses the IsDebuggerPresent and CheckRemoteDebuggerPresent APIs to do this. It also checks the running processes from the following applications:
- MegaDumper 1.0 by CodeCracker / SnD
- Import reconstructor
- x64dbg
- x32dbg
- OLLYDBG
- WinDbg
- The Interactive Disassembler
- Immunity Debugger – [CPU]
It then checks for the following antivirus or sandbox-related files:
- avghooka.dll
- avghookx.dll
- sxin.dll
- sf2.dll
- sbiedll.dll
- snxhk.dll
- cmdvrt32.dll
- cmdvrt64.dll
- wpespy.dll
- vmcheck.dll
- pstorec.dll
- dir_watch.dll
- api_log.dll
- dbghelp.dll
This behavior is very similar to the routine employed by the BlackByte payload. Then, it enumerates all document files on the infected computer, such as .txt, .doc, and .pdf files, and saves the full path and file name to %APPDATA%\dummy. The listed files are uploaded to a folder that is created by the malware on the cloud storage service.
The team also said that in recent attacks, BlackByte is exploiting the ProxyShell (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) and ProxyLogon (CVE-2021-26855 and CVE-2021-27065) vulnerabilities in Microsoft Exchange Servers for the initial access. Symantec has observed attackers using AdFind, AnyDesk, NetScan, and PowerView prior to deploying the ransomware payload. Symantec’s Threat Hunter Team said,
« Following the departure of a number of major ransomware operations such as Conti and Sodinokibi, BlackByte has emerged as one of the ransomware actors to profit from this gap in the market. The fact that actors are now creating custom tools for use in BlackByte attacks suggests that it may be on the way to becoming one of the dominant ransomware threats. »