Ransomware operators are turning to new extortion methods using Exmatter malware and adding new data corruption functionality.
The data extortion landscape is constantly evolving and threat actors devise new extortion techniques, this is the case of the threat actors using Exmatter malware.
Cyderes Special Operations and Stairwell Threat Research have discovered a sample of malware classified as a .NET hack tool exmatter. The malware was noticed in conjunction with the publication of the BlackCat/ALPHV ransomware, which experts believe is operated by affiliates of several ransomware groups, including BlackMatter.
Exmatter allows operators to pull certain file types from selected directories before executing the ransomware itself on compromised systems. The sample analyzed by the experts attempts to corrupt the files within the victim’s environment, rather than encrypting them, and perform actions to prepare the files for destruction.
Experts noted that this is the first time that Exmatter has been observed with a destructive module.
“First, the malware replicates through the drives of the victim machine, creating a queue of files that match a static list of given extensions. Files matching those file extensions are added to the queue for extraction, which is then written to a folder with the same The name of the hostname of the victim’s machine on the server controlled by the actor. “is reading Report Posted by Cyderes. While uploading files to the server controlled by the actor, files that were successfully copied to the remote server are queued to be processed by a class called Eraser. A segment of random size starting at the beginning of the second file is read into a buffer and then written at the beginning of the first file , overwriting it and corrupting the file”.
Using legitimate data from a compromised file to corrupt another file may allow operators to evade ransomware or wipe-based detection, plus copying file data from one file to another is a more benign job than chaining over files with random data or encrypting them. .
Experts pointed out that developing stable, secure and fast ransomware to encrypt files is a redundant and costly behavior compared to corrupting files and using stolen copies to recover data.
Eliminating data encryption makes the process faster and removes the risk of not getting the full payoff, or that the victim will find flaws in the encryption process that could allow them to decrypt the data.
According to experts, Exmatter’s data destruction capabilities are still under development due to the following evidence:
- The length of the second file segment, which is used to overwrite the first file, is randomly selected and can be up to one byte in length.
- There is no mechanism to remove files from the corruption queue, which means that some files may be overwritten multiple times before terminating the program, while others may not be selected.
- The function that creates a file
Eraseit doesn’t seem to be fully implemented and can’t be unpacked properly.
The data corruption feature explained by Stairwell and Cyderes researchers may represent a shift in the strategy used by ransomware affiliates.
The report also includes the Yara rules for this threat and MITER ATT & CK.
(Security – hacking and ransomware)
#Exmatter #hack #tool #implement #security #blackmail #tactics