• World CyberCon India
Firewall Daily

BlackCat Ransomware Data Exfiltration Tool Upgraded

The latest version is embedded with stealthier features making it harder to detect by threat detection programs.

BlackCat Ransomware Data Exfiltration Tool Upgraded
  • PublishedSeptember 23, 2022

The BlackCat ransomware has moved towards its next phase of operation after updating its data exfiltration tool. The tool is quite popular in the underground markets for its double-extortion attacks. The threat actors are presumed to be using the new upgrade for future campaigns.

Researchers at Symantec reported the new and improved version of the exfiltration tool, a flagship product of the BlackCat ransomware gang. It has been used for data exfiltrating in high-profile attacks wherein the TA takes control of compromised systems using double extortion methods.

BlackCat ransomware

BlackCat ransomware, also known as ALPHV, contributed to the growing ransomware as a service (RaaS) gig economy. Since it uses Rust, an unconventional programming language, it can penetrate through multiple entry points and has been affiliated with prolific hacker groups, per Microsoft’s report.

For the uninitiated, BlackCat encrypts the targets’ data and uses double extortion tactics — where the TA threatens the victims to pay a certain ransom before the stolen data gets published to the public. The ransomware is also related to other extortion gangs, including the infamous Conti and Lockbit.

BlackCat ransomware focuses on exfiltrating data

BlackCat ransomware’s data exfiltration tool was previously used for extortion rackets and has been identified as “Exmatter,” launched by the ransomware Ganga in November 2021. The new update was later released in August 2022. It featured new functions like limiting the exfiltration files to 17 extensions, report building of processed files, removing support for Socks5, GPO deployment, “Eraser” to corrupt processed files, FTP extraction, “self destruct” to delete the program in a non-valid environment and more.

Moreover, the latest Exmatter version is embedded with stealthier features making it harder to detect by threat detection programs. It can also deploy a new malware called “Eamfo,” which can steal credentials from Veeam backups.

The malware can also connect to the Veeam SQL database and aims to steal the backup credential using the select [user_name],[password],[description] FROM [VeeamBackup].[dbo].[Credentials] SQL query.

Written By
Ashish Khaitan

Ashish is a technical writer at The Cyber Express. He adores writing about the latest technologies and covering the latest cybersecurity events. In his free time, he likes to play horror and open-world video games.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.