Project Hyphae

New ExByte Malware is Taking a Bite Out of Data

And their ex isn't their only target.

Share This Post

BlackByte is a ransomware-as-a-service (RaaS) that gained notoriety in February of 2022 when they were the subject of an FBI alert calling attention to their attacks against American organizations, including at least three critical infrastructure sectores. Now, they’ve been discovered using a custom data theft and exfiltration tool called Exbyte.

Exbyte is written in Go and designed to upload stolen files to the cloud storage service using hard-coded credentials, though that could change to another service and/or account as this very information is shared publicly among cybersecurity experts. On execution, ExByte performs multiple checks for indicators that it may be running in a sandboxed environment. If any of these indicators are found, such as known analysis tools or anti-virus or sandbox-related files, it will not execute. This makes it harder for investigators to determine what the tool is or what it is used for.

This investigator evasion technique is similar to what the BlackByte ransomware’s primary payload uses upon execution. Once ExByte determines it can run, it enumerates all documents on the computer, such as .doc, .pdf, or .txt files, and saves the full path and file name to %APPDATA%\dummy, where they are then uploaded to the attacker’s cloud destination.

To read more details about BlackByte RaaS, ExByte data exfiltration, and other Indicators of Compromise seen in various attacks where these have been used, please visit Symantec’s security blog entry:

More To Explore

Information Security News 11-28-2022

Know Thy Enemy: Thinking Like a Hacker can Boost Cybersecurity Strategy Article Link: 90% of Organizations Have Microsoft 365 Security Gaps Article Link:

Information Security News 11-21-2022

Transportation Sector Targeted by Both Ransomware and APTs Article Link: Misconfigurations, Vulnerabilities Found in 95% of Applications Article Link: Electronics Repair Technicians Snoop

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.