Hackers frequently add new custom tools to accelerate and enhance their capabilities for successful campaigns. This time, BlackByte attackers were spotted with a new exfiltration tool named Exbyte (Infostealer.Exbyte) in its recent operations, mostly abusing ProxyShell flaws.
BlackByte’s Exbyte
With Exbyte, BlackByte operators can launch stronger double-extortion attacks.
According to Symantec, Hecamede, the group behind the BlackByte RaaS operation, has designed the malware to expedite the theft of data from the victim’s network and upload it to an external server.
At least one affiliate of the ransomware (Ransom.BlackByte) is actively using Exbyte during its attacks.
Exbyte capabilities
Exbyte is a Go-based exfiltration tool that uploads stolen files directly to the Mega cloud storage service.
Upon execution, it performs anti-analysis checks as well as checks for debuggers and antivirus processes to evade detection.
Once the checks are passed, Exbyte enumerates all document files on the infected computer. Subsequently, it saves the file paths and uploads these files to a folder the malware creates on Mega.co.nz using hardcoded account credentials.
BlackByte in recent news
According to an Intel 471 report, in Q3 2022, BlackByte primarily targeted primarily organizations in Africa, probably to avoid getting the attention of Western law enforcement agencies.
In recent attacks, BlackByte operators employed version 2.0 of the ransomware, by abusing BYOD vulnerability in legit drivers to disable security products.
Wrapping up
With new custom tools, distribution techniques, and antidetection tactics, BlackByte is setting up a new standard for itself in the ransomware world. Organizations should keep up with security patches such as those for ProxyShell vulnerabilities and deploy apt security frameworks to solidify defenses against ransomware.