The BlackCat ransomware (aka ALPHV) isn’t showing any signs of slowing down, and the latest example of its evolution is a new version of the gang’s data exfiltration tool used for double-extortion attacks.
BlackCat is considered a successor to Darkside and BlackMatter and is one of the most sophisticated and technically advanced Ransomware-as-a-service (RaaS) operations.
Security researchers at Symantec, who track BlackCat as “Noberus”, report that the developer of the first Rust-based ransomware strain continually improves and enriches the malware with new features.
Lately, the focus appears to have been on the tool used for exfiltrating data from compromised systems, an essential requirement for conducting double extortion attacks.
Named “Exmatter,” the tool was used since BlackCat’s launch in November 2021 and was heavily updated in August 2022, featuring the following changes:
Limit type of files to exfiltrate to: PDF, DOC, DOCX, XLS, PNG, JPG, JPEG, TXT, BMP, RDP, SQL, MSG, PST, ZIP, RTF, IPT, and DWG.
Add FTP as an exfiltration option in addition to SFTP and WebDav.
Offer option to build a report listing all processed files
Add “Eraser” feature giving the option to corrupt processed files
Add “Self-destruct” configuration option to quit and delete itself if executed in non-valid environments.
Remove support for Socks5
Add option for GPO deployment
In addition to the expanded capabilities, the latest Exmatter version has gone through heavy code refactoring implementing existing features more stealthily to evade detection.
Another recent addition to BlackCat’s info-stealing capacity is the deployment of a new malware called “Eamfo,” which explicitly targets credentials stored in Veeam backups.
This software is typically used for storing credentials to domain controllers and cloud services so that the ransomware actors can use them for deeper infiltration and lateral movement.
Eamfo connects to the Veeam SQL database and steals the backup credentials with the following SQL query:
select [user_name],[password],[description] FROM [VeeamBackup].[dbo].[Credentials]
Once the credentials are extracted, Eamfo decrypts them and displays them to the threat actor.
The researchers note that the info-stealing malware has been used by other ransomware gangs in the past, including Monti, Yanluowang, and LockBit.
Finally, Symantec has noticed that the BlackCat operation has been seen using an older anti-rootkit utility called to terminate antivirus processes.
Staying at the top
In June 2022, BlackCat introduced support for encrypting files on ARM architectures and a mode to encrypt in Windows safe mode with or without networking.
At that time, the gang also created a dedicated online resource where people could search for their stolen data to increase the pressure on breached firms.
It’s evident that BlackCat constantly evolves with new tools, improvements, and extortion strategies to make the RaaS operation more effective and efficient.
Symantec reports that BlackCat’s operators expel affiliates who aren’t as prolific as they would like, suggesting they seek collaboration with lower-tier RaaS programs.
Researchers have also seen ex-Conti affiliates moving to BlackCat/ALPHV after the Conti ransomware gang shut down their operation.
This shutdown has led to an influx of experienced attackers who were quickly able to launch new attacks under the new operation.
