Researchers on the team at Symantec Threat Hunter, the Enterprise Security Solutions division of Broadcom, have discovered a new data exfiltration tool designed to accelerate information theft for ransomware groups using the BlackMatter variant.
The team of researchers explained in a post on the company’s blog that the custom tool is the third discovery of its kind, after the development of the Ryuk Stealer and StealBit tools linked to the hacker group that operates the LockBit ransomware.
Called Exmatter, the tool is designed to steal specific file types from selected directories and then upload them to a server under the control of BlackMatter attackers.
This process of reducing data sources to only those deemed most profitable or business critical is designed to speed up the entire data exfiltration process, presumably so that threat operators can complete their attack stages before they are discovered and stopped .
After retrieving the names of all logical drives on the victim’s computer and collecting all file names, Exmatter disregards things in specific directories like “C:Documents and Settings”. It only exfiltrates specific file types, such as PDFs, Word documents, spreadsheets and PowerPoints, and aims to prioritize them for exfiltration using LastWriteTime. Once the exfiltration is complete, Exmatter seeks to overwrite and delete any traces of itself from the victim’s computer.
Symantec said it found several versions of the tool, indicating that its developers had tried to refine its functionality to speed up the data theft process as far as possible. The company’s researchers said BlackMatter is linked to cybercrime group Coreid, which may also have been responsible for Darkside, the variant that led to the Colonial Pipeline’s disruption in early May. However, it is unclear whether Exmatter was developed by this group or by one of the many affiliates that use BlackMatter in attacks.
US authorities issued a warning about BlackMatter in mid-October after it began targeting critical infrastructure providers.
Source: CisoAdvisor