BlackCat Ransomware Improved Data Output and Steal Veeam Passwords

When analyzing the BlackCat / ALPHV ransomware attacks in August, Symantec experts (those who went under the wing of Broadcom) discovered a new, more secretive version of the Exmatter data exfiltration tool. Observers also noted the use of additional malware – the Eamfo infostealer, which can steal credentials saved with Veeam.

Cross-platform malware BlackCat, which Symantec calls Noberus, is considered by many to be the successor to BlackMatter and Darkside. Ransomware operators are constantly updating their techniques and tactics to improve the effectiveness of their attacks.

The use of Exmatter allows ransomware to silently download data from the corporate network – before encryption is launched. Stolen information also becomes a means of blackmail: they threaten to publish it if the ransom for the decryption key is not paid.

The creators of the new version of Exmatter have reduced the list of file search extensions to 19 positions (.pdf, .doc, .docx, .xls, .xlsx, .png, .jpg, .jpeg, .txt, .bmp, .rdp, .txt, .sql, .msg, .pst, .zip, .rtf, .ipt, .dwg). Of the other innovations, analysts noted the following:

  • data output via FTP, in addition to SFTP and WebDav;
  • creating a report with a list of all processed files;
  • file corruption during processing (functionality is disabled for now);
  • self-removal in the absence of a corporate environment (outside the Active Directory domain);
  • deprecation of Socks5 support;
  • deployment using Windows group policies.

The analysis also showed that the malicious code was largely rewritten – even the remaining functions were implemented anew and in a different way. Apparently, the virus writers hoped in this way to increase the likelihood of bypassing detection tools.

At the end of August, a BlackCat attack using Eamfo was recorded (experts considered it the work of one of the RaaS service affiliates). This infostealer has a narrow specialization: it only steals credentials from Veeam backups .

To do this, it connects to the SQL database that the backup software uses and sends a special request. The received data is provided to the operator already in decrypted form, so that he can use them for his own needs – escalating privileges, and further moving through the network.

According to experts, Eamfo appeared on the Internet arena no later than last August and was also seen in the attacks of other ransomware – Yanluowang, and LockBit.

The authors of the same BlackCat infostealer attack used another tool – the GMER scanner, aimed at searching for rootkits. It helped attackers forcibly terminate objectionable processes in compromised systems.

Catch up on more articles here

Follow us on Twitter here


Must read


Related Posts