A BlackByte ransomware affiliate is using a new custom data stealing tool called ‘ExByte’ to steal data from compromised Windows devices quickly.
Data exfiltration is believed to be one of the most important functions in double-extortion attacks, with BleepingComputer told that companies are more commonly paying ransom demands to prevent the leak of data than to receive a decryptor.
Due to this, ransomware operations, including ALPHV and LockBit, are constantly working on improving their data theft tools.
At the same time, other threat actors, like Karakurt, don’t even bother to encrypt local copies, solely focusing on data exfiltration.
The Exbyte data exfiltration tool
Exbyte was discovered by security researchers at Symantec, who say that the threat actors use the Go-based exfiltration tool to upload stolen files directly to the Mega cloud storage service.
Upon execution, the tool performs anti-analysis checks to determine if it’s running on a sandboxed environment and checks for debuggers and anti-virus processes.
The processes Exbyte checks are:
MegaDumper 1.0 by CodeCracker / SnD
Import reconstructor
x64dbg
x32dbg
OLLYDBG
WinDbg
The Interactive Disassembler
Immunity Debugger – [CPU]
Also, the malware checks for the presence of the following DLL files:
avghooka.dll
avghookx.dll
sxin.dll
sf2.dll
sbiedll.dll
snxhk.dll
cmdvrt32.dll
cmdvrt64.dll
wpespy.dll
vmcheck.dll
pstorec.dll
dir_watch.dll
api_log.dll
dbghelp.dll
The BlackByte ransomware binary also implements these same tests, but the exfiltration tool needs to run them independently since data exfiltration takes place before file encryption.
If the tests are clean, Exbyte enumerates all document files on the breached system and uploads them to a newly-created folder on Mega using hardcoded account credentials.
“Next, Exbyte enumerates all document files on the infected computer, such as .txt, .doc, and .pdf files, and saves the full path and file name to %APPDATA%\dummy,” explains the report by Symantec.
“The files listed are then uploaded to a folder the malware creates on Mega.co.nz. Credentials for the Mega account used are hardcoded into Exbyte.”
Symantec analysts report that recent BlackByte attacks rely on exploiting last year’s ProxyShell and ProxyLogon flaw sets in Microsoft Exchange servers.
Moreover, the intruders use tools such as AdFind, AnyDesk, NetScan, and PowerView to move laterally.
Recent attacks employ version 2.0 of the ransomware, removing Kernel Notify Routines to bypass EDR protections, as Sophos analyzed in an October report.
Like other ransomware operations, BlackByte deletes volume shadow copies to prevent easy data restoration, modifies firewall settings to open up all remote connections, and eventually injects itself in a “scvhost.exe” instance for the encryption phase.
According to an Intel 471 report published yesterday, in Q3 2022, BlackByte targeted primarily organizations in Africa, likely to avoid provoking Western law enforcement.