![]() ![]() Other examples include the Ryuk Stealer tool and StealBit, which is linked to the LockBit ransomware. In November 2021, Symantec discovered Exmatter, an exfiltration tool that was used by the BlackMatter ransomware operation and has since been used in Noberus attacks. Credentials for the Mega account used are hardcoded into Exbyte.Įxbyte is not the first custom-developed data exfiltration tool to be linked to a ransomware operation. The files listed are then uploaded to a folder the malware creates on .nz. pdf files, and saves the full path and file name to %APPDATA%\dummy. Next, Exbyte enumerates all document files on the infected computer, such as. This routine of checks is quite similar to the routine employed by the BlackByte payload itself, as documented recently by Sophos. ![]() It then checks for the following anti-virus or sandbox-related files: It then checks for the running processes from the following applications: To do this, it calls the IsDebuggerPresent and CheckRemoteDebuggerPresent APIs. This is intended to make it more difficult for security researchers to analyze the malware. ![]() On execution, Exbyte performs a series of checks for indicators that it may be running in a sandboxed environment. The Exbyte exfiltration tool is written in Go and designed to upload stolen files to the .nz cloud storage service. In recent months, BlackByte has become one of the most frequently used payloads in ransomware attacks. ![]() Federal Bureau of Investigation (FBI) issued an alert stating that BlackByte had been used to attack multiple entities in the U.S., including organizations in at least three critical infrastructure sectors. The group sprang to public attention in February 2022 when the U.S. The malware (Infostealer.Exbyte) is designed to expedite the theft of data from the victim’s network and upload it to an external server.īlackByte is a ransomware-as-a-service operation that is run by a cyber-crime group Symantec calls Hecamede. Symantec’s Threat Hunter Team has discovered that at least one affiliate of the BlackByte ransomware (Ransom.Blackbyte) operation has begun using a custom data exfiltration tool during their attacks. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |