HQ/EMEAFind out how we can help your business
The BlackByte threat group has added a new custom tool called Exbyte to accelerate and enhance extortion tactics. Based on reports, the researchers discovered this new tool in a recent campaign of a cybercriminal group.
According to them, the Exbyte exfiltration kit abuses ProxyShell vulnerabilities in its attacks. Research analysts spotted it after they noticed a new entity in the recent sample coded as Infostealer[.]Exbyte.
The alarming part of this new tool is that it allows the BlackByte operators to deploy a more efficient and robust double-extortion campaign against its target. Additionally, the group behind BlackByte’s Ransomware-as-a-Service operation has developed the malware to hasten data stealing from a targeted network. The expediting of data theft also allows the threat actors to quickly upload the stolen information to their external server.
A separate researcher noted that at least a single affiliate of the BlackByte ransomware has an ongoing Exbyte-based operation employed in its attacks.
The Exbyte tool has included different capabilities for its user.
According to an analysis, the Exbyte exfiltration is based on the Go language that uploads stolen files directly to the Mega cloud storage provider. The tool also runs anti-analysis checks for debuggers and AV processes to bypass security detection after executing it in the targeted device.
Once the security evaluation of the tool checks out, it will identify all archives and files on the compromised device. Exbyte will also save the file paths and upload the stolen data to a folder that the malware developed on Mega[.]co[.]nz.
The threat actors were able to create an account with this cloud storage provider because of hardcoded account credentials.
Recently, an intelligence report revealed that the BlackByte ransomware group set its sights on African organisations in the 3rd quarter of this year. Experts claimed that the ransomware operators have chosen to target African entities to test their new tool in order to avoid attracting Western researchers and law enforcement agencies.
The BlackByte ransomware is putting its name as one of the most hostile entities in the cybercriminal landscape as they add more new custom tools, anti-detection strategies, and distribution techniques.
Therefore, organisations should always be aware of security patches as ProxyShell flaws are the primary weapon of this threat group.
