Ransomware, Threat Management, Threat Management

BlackByte ransomware affiliate observed using new custom data exfiltration tool

A team participates in a cyber exercise.
Symantec researchers observed at least one BlackByte ransomware affiliate using a custom exfiltration tool to steal data. (U.S. Coast Guard)

At least one BlackByte ransomware affiliate has adopted a new custom exfiltration tool to quickly steal data from compromised devices, according to new research from Symantec Threat Hunter Team.

BlackByte has gained popularity in ransomware attacks in recent months following the exit of several primary ransomware operations, such as Conti and Sodinokibi.

Dick O’Brien, principal intelligence analyst at Symantec, warned that the creation of new custom malware tools for use in BlackByte attacks could elevate threat actors moving forward.

“If BlackByte maintains its current rate of activity for the next few months, it will have established itself as one of the top ransomware threats,” O’Brien told SC Media.

According to researchers, the new exfiltration tool, Exbyte, is written in Go and designed to upload stolen data to the Mega.co.nz cloud storage service.

It is more sophisticated in anti-detection measures than previous exfiltration tools. On execution, Exbyte performs anti-analysis checks to determine if it is running in a sandboxed environment by calling the IsDebuggerPresent and CheckRemoteDebuggerPresent APIs. It then checks anti-virus or sandbox-related files.

If the tests are clean, Exbyte enumerates document files on compromised devices and uploads them to a newly created folder on Mega with hardcoded account credentials.

Exbyte is not the first custom data exfiltration tool associated with ransomware families. Previously, there were Exmatter, a tool used by BlackMatter ransomware operation, and StealBit, which has been linked to LockBit ransomware.

O’Brien told SC Media that companies should apply multiple detections and hardening technologies to mitigate risk at each point of the potential attack chain.

For instance, O’Brien suggested that companies should monitor the use of dual-use tools inside their networks and ensure they have the latest version of PowerShell. Companies can also introduce one-time credentials for administrative work to prevent theft and misuse of admin credentials.

“We also suggest creating profiles of usage for admin tools. Many of these tools are used by attackers to move laterally undetected through a network,” O’Brien added.

Menghan Xiao

Menghan Xiao is a cybersecurity reporter at SC Media, covering software supply chain security, workforce/business, and threat intelligence. Before SC Media, Xiao studied journalism at Northwestern University, where she received a merit-based scholarship from Medill and Jack Modzelewski Scholarship Fund.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.