At least one BlackByte ransomware affiliate has adopted a new custom exfiltration tool to quickly steal data from compromised devices, according to new research from Symantec Threat Hunter Team.
BlackByte has gained popularity in ransomware attacks in recent months following the exit of several primary ransomware operations, such as Conti and Sodinokibi.
Dick O’Brien, principal intelligence analyst at Symantec, warned that the creation of new custom malware tools for use in BlackByte attacks could elevate threat actors moving forward.
“If BlackByte maintains its current rate of activity for the next few months, it will have established itself as one of the top ransomware threats,” O’Brien told SC Media.
According to researchers, the new exfiltration tool, Exbyte, is written in Go and designed to upload stolen data to the Mega.co.nz cloud storage service.
It is more sophisticated in anti-detection measures than previous exfiltration tools. On execution, Exbyte performs anti-analysis checks to determine if it is running in a sandboxed environment by calling the IsDebuggerPresent and CheckRemoteDebuggerPresent APIs. It then checks anti-virus or sandbox-related files.
If the tests are clean, Exbyte enumerates document files on compromised devices and uploads them to a newly created folder on Mega with hardcoded account credentials.
Exbyte is not the first custom data exfiltration tool associated with ransomware families. Previously, there were Exmatter, a tool used by BlackMatter ransomware operation, and StealBit, which has been linked to LockBit ransomware.
O’Brien told SC Media that companies should apply multiple detections and hardening technologies to mitigate risk at each point of the potential attack chain.
For instance, O’Brien suggested that companies should monitor the use of dual-use tools inside their networks and ensure they have the latest version of PowerShell. Companies can also introduce one-time credentials for administrative work to prevent theft and misuse of admin credentials.
“We also suggest creating profiles of usage for admin tools. Many of these tools are used by attackers to move laterally undetected through a network,” O’Brien added.
