Security scientists have discovered a new details exfiltration software created to speed up info theft for ransomware teams utilizing the BlackMatter variant.
The Symantec Danger Hunter crew stated in a new blog site article now that the custom made resource is the 3rd discovery of its form, following the improvement of the Ryuk Stealer tool and the LockBit-linked StealBit.
Dubbed “Exmatter,” it is made to steal certain file kinds from picked directories and then add them to a server under the handle of BlackMatter attackers.
This approach of whittling down knowledge resources to only those deemed most rewarding or enterprise-critical is designed to speed up the total exfiltration procedure, presumably so the menace actors can full their attack phases before being interrupted.
Soon after retrieving the push names of all reasonable drives on a sufferer computer and gathering all file pathnames, Exmatter disregards everything below particular directories this kind of as “C:Paperwork and Settings.”
It only exfiltrates distinct file varieties these kinds of as PDFs, Term docs, spreadsheets and PowerPoints, and aims to prioritize these for exfiltration applying LastWriteTime.
The moment exfiltration has been concluded, Exmatter seems to be to overwrite and delete any traces of by itself from the victim’s pc.
Symantec stated it located many versions of the device, indicating that its builders have experimented with to refine its operation to speed up the course of action of information theft as significantly as attainable.
The researchers claimed BlackMatter by itself is connected to the “Coreid” cybercrime team, which may have also been responsible for Darkside — the variant that led to the Colonial Pipeline outage.
Nonetheless, it’s unclear no matter whether Exmatter was developed by this group or a person of the several affiliates who use BlackMatter in attacks.
“Like most ransomware actors, attacks joined to Coreid steal victims’ information and the group then threatens to publish it to more tension victims into having to pay the ransom desire,” Symantec concluded.
“Whether Exmatter is the development of Coreid by itself or one of its affiliates remains to be found, but its progress indicates that data theft and extortion proceeds to be a core aim of the team.”
The US authorities issued an alert on BlackMatter in mid-Oct, soon after it started to target critical infrastructure vendors. One vendor claims it might even now aid victims of the ransomware variant right after discovering a bug in its code.
Some components of this write-up are sourced from: