The BlackByte ransomware group has been observed likely exploiting a recently patched security flaw in VMware ESXi hypervisors while also using vulnerable drivers to disable security protections.
“The BlackByte ransomware group continues to leverage tactics, techniques, and procedures (TTPs) that have formed the foundation of its tradecraft since its inception, continuously iterating its use of vulnerable drivers to bypass security protections and deploying a self-propagating, wormable ransomware encryptor”, according to a Cisco Talos technical report
The exploitation of CVE-2024-37085, an authentication bypass vulnerability in VMware ESXi, which has also been targeted by other ransomware groups, indicates that BlackByte is shifting from traditional methods.
First appearing in the second half of 2021, BlackByte is believed to be one of the ransomware variants that emerged before the notorious Conti ransomware crew disbanded.
As a ransomware-as-a-service (RaaS) operation, BlackByte has a history of exploiting ProxyShell vulnerabilities in Microsoft Exchange Server to gain initial access, while steering clear of systems using Russian and several Eastern European languages.
Like other RaaS groups, it employs double extortion, using a dark web data leak site to pressure victims into paying by threatening to expose stolen data. To date, multiple variants of BlackByte, written in C, .NET, and Go, have been observed in the wild.
Although a decryptor for BlackByte was released by Trustwave in October 2021, the group has continued to evolve its tactics, even developing a custom tool called ExByte for data exfiltration before encryption begins.
In early 2022, the U.S. government issued an advisory attributing the RaaS group to financially motivated attacks on critical infrastructure sectors, including finance, agriculture, and government facilities.
A key aspect of BlackByte’s attacks is the use of vulnerable drivers to terminate security processes and bypass controls, a method known as bring your own vulnerable driver (BYOVD).
Cisco Talos, which investigated a recent BlackByte attack, noted that the breach was likely facilitated by valid credentials used to access the victim’s VPN, possibly obtained through brute-force attacks.
“Given BlackByte’s history of exploiting public-facing vulnerabilities for initial access, the use of VPN for remote access may represent a slight shift in technique or could be opportunistic,” said security researchers James Nutland, Craig Jackson, Terryn Valikodath, and Brennan Evans. “Additionally, using the victim’s VPN offers the adversary other benefits, such as reduced detection by the organization’s EDR.”
The threat actor was able to escalate their privileges, using the gained permissions to access the organization’s VMware vCenter server and create new accounts in an Active Directory group named ESX Admins. According to Talos, this was achieved by exploiting CVE-2024-37085, a vulnerability that allows attackers to gain administrator privileges on the hypervisor by creating a group with that name and adding any user to it.
This elevated privilege could then be exploited to control virtual machines (VMs), alter the host server’s configuration, and gain unauthorized access to system logs, diagnostics, and performance monitoring tools.
Talos emphasized that the flaw was exploited just days after its public disclosure, illustrating how quickly threat actors adapt their tactics to incorporate newly discovered vulnerabilities and enhance their attacks.
The recent BlackByte attacks also culminated in files being encrypted and rewritten with the file extension “blackbytent_h.” The encryptor additionally dropped four vulnerable drivers as part of the BYOVD attack, all following a similar naming convention of eight random alphanumeric characters followed by an underscore and an incremental number:
- AM35W2PH (RtCore64.sys)
- AM35W2PH_1 (DBUtil_2_3.sys)
- AM35W2PH_2 (zamguard64.sys aka Terminator)
- AM35W2PH_3 (gdrv.sys)
The professional, scientific, and technical services sectors face the greatest exposure to these vulnerable drivers, accounting for 15% of the total, followed by the manufacturing (13%) and educational services (13%) sectors. Talos also assessed that the threat actor is likely more active than publicly known, with only an estimated 20-30% of victims being publicly reported, although the reasons for this underreporting remain unclear.
“BlackByte’s progression in programming languages from C# to Go and now to C/C++ in the latest version of its encryptor, BlackByteNT, reflects a calculated effort to strengthen the malware’s resilience against detection and analysis,” the researchers noted.
“Complex languages like C/C++ allow for the integration of advanced anti-analysis and anti-debugging techniques, which have been observed throughout BlackByte’s tooling during detailed analysis by other security researchers.”
This disclosure comes as Group-IB detailed the tactics of two other ransomware strains, Brain Cipher and RansomHub, highlighting potential connections between Brain Cipher and other ransomware groups like EstateRansomware, SenSayQ, and RebornRansomware.
“There are stylistic and content-based similarities between the ransom notes of Brain Cipher and SenSayQ ransomware,” noted the Singaporean cybersecurity firm. “The TOR websites for Brain Cipher and SenSayQ also share similar technologies and scripts.”
In contrast, RansomHub has been observed recruiting former affiliates of Scattered Spider, a detail that emerged last month. Most of the attacks have been directed at the healthcare, finance, and government sectors in the U.S., Brazil, Italy, Spain, and the U.K.
“For initial access, affiliates typically purchase compromised valid domain accounts from Initial Access Brokers (IABs) and exploit external remote services,” Group-IB stated, further explaining that “these accounts have been obtained using the LummaC2 stealer.”
RansomHub’s tactics involve using compromised domain accounts and public VPNs for initial access, followed by data exfiltration and extensive encryption. Their recent launch of a RaaS affiliate program and demand for high ransom payments underscore their increasingly aggressive and evolving approach.
Source: TheHackerNews
