BlackByte is a ransomware-as-a-service (RaaS) that gained notoriety in February of 2022 when they were the subject of an FBI alert calling attention to their attacks against American organizations, including at least three critical infrastructure sectores. Now, they’ve been discovered using a custom data theft and exfiltration tool called Exbyte.
Exbyte is written in Go and designed to upload stolen files to the Mega.co.nz cloud storage service using hard-coded credentials, though that could change to another service and/or account as this very information is shared publicly among cybersecurity experts. On execution, ExByte performs multiple checks for indicators that it may be running in a sandboxed environment. If any of these indicators are found, such as known analysis tools or anti-virus or sandbox-related files, it will not execute. This makes it harder for investigators to determine what the tool is or what it is used for.
This investigator evasion technique is similar to what the BlackByte ransomware’s primary payload uses upon execution. Once ExByte determines it can run, it enumerates all documents on the computer, such as .doc, .pdf, or .txt files, and saves the full path and file name to %APPDATA%\dummy, where they are then uploaded to the attacker’s cloud destination.
To read more details about BlackByte RaaS, ExByte data exfiltration, and other Indicators of Compromise seen in various attacks where these have been used, please visit Symantec’s security blog entry: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware
