BlackByte ransomware uses new data theft tool for double-extortion

A BlackByte ransomware affiliate is using a new custom data stealing tool called 'ExByte' to steal data from compromised Windows devices quickly.

Data exfiltration is believed to be one of the most important functions in double-extortion attacks, with BleepingComputer told that companies are more commonly paying ransom demands to prevent the leak of data than to receive a decryptor.

Due to this, ransomware operations, including ALPHV and LockBit, are constantly working on improving their data theft tools.

At the same time, other threat actors, like Karakurt, don't even bother to encrypt local copies, solely focusing on data exfiltration.

The Exbyte data exfiltration tool

Exbyte was discovered by security researchers at Symantec, who say that the threat actors use the Go-based exfiltration tool to upload stolen files directly to the Mega cloud storage service.

Upon execution, the tool performs anti-analysis checks to determine if it's running on a sandboxed environment and checks for debuggers and anti-virus processes.

The processes Exbyte checks are:

• MegaDumper 1.0 by CodeCracker / SnD
• Import reconstructor
• x64dbg
• x32dbg
• OLLYDBG
• WinDbg
• The Interactive Disassembler
• Immunity Debugger – [CPU]

Also, the malware checks for the presence of the following DLL files:

• avghooka.dll
• avghookx.dll
• sxin.dll
• sf2.dll
• sbiedll.dll
• snxhk.dll
• cmdvrt32.dll
• cmdvrt64.dll
• wpespy.dll
• vmcheck.dll
• pstorec.dll
• dir_watch.dll
• api_log.dll
• dbghelp.dll

The BlackByte ransomware binary also implements these same tests, but the exfiltration tool needs to run them independently since data exfiltration takes place before file encryption.

If the tests are clean, Exbyte enumerates all document files on the breached system and uploads them to a newly-created folder on Mega using hardcoded account credentials.

"Next, Exbyte enumerates all document files on the infected computer, such as .txt, .doc, and .pdf files, and saves the full path and file name to %APPDATA%\dummy," explains the report by Symantec.

"The files listed are then uploaded to a folder the malware creates on Mega.co.nz. Credentials for the Mega account used are hardcoded into Exbyte."

BlackByte is still going strong

BlackByte launched operations in the summer of 2021, and by February 2022, the gang had breached many private and public organizations, including critical infrastructure in the United States.

Symantec analysts report that recent BlackByte attacks rely on exploiting last year's ProxyShell and ProxyLogon flaw sets in Microsoft Exchange servers.

Moreover, the intruders use tools such as AdFind, AnyDesk, NetScan, and PowerView to move laterally.

Recent attacks employ version 2.0 of the ransomware, removing Kernel Notify Routines to bypass EDR protections, as Sophos analyzed in an October report.

Like other ransomware operations, BlackByte deletes volume shadow copies to prevent easy data restoration, modifies firewall settings to open up all remote connections, and eventually injects itself in a "scvhost.exe" instance for the encryption phase.

According to an Intel 471 report published yesterday, in Q3 2022, BlackByte targeted primarily organizations in Africa, likely to avoid provoking Western law enforcement.