BlackCat Ransomware (aka ALPHV), considered to be the successor of Darkside and BlackMatter recently received a massive update. Security researchers at Symantec report that the developer of BlackCat, the first Rust-based ransomware strain, continually improves and enriches the malware with new features. Lately, the focus appears to have been on the tool used for exfiltrating data from compromised systems, an essential requirement for conducting double extortion attacks. Named “Exmatter,” the tool was used since BlackCat’s launch in November 2021 and was heavily updated in August 2022, featuring the following changes:
- Limit type of files to exfiltrate to: PDF, DOC, DOCX, XLS, PNG, JPG, JPEG, TXT, BMP, RDP, SQL, MSG, PST, ZIP, RTF, IPT, and DWG.
- Add FTP as an exfiltration option in addition to SFTP and WebDav.
- Offer option to build a report listing all processed files
- Add “Eraser” feature giving the option to corrupt processed files
- Add “Self-destruct” configuration option to quit and delete itself if executed in non-valid environments.
- Remove support for Socks5
- Add option for GPO deployment
In addition to the expanded capabilities, the latest Exmatter version has gone through heavy code refactoring, implementing existing features more stealthily to evade detection. Another recent addition to BlackCat’s info-stealing capacity is the deployment of a new malware called “Eamfo,” which explicitly targets credentials stored in Veeam backups. This software is typically used for storing credentials to domain controllers and cloud services so that the ransomware actors can use them for deeper infiltration and lateral movement. Once the credentials are extracted, Eamfo decrypts them and displays them to the threat actor. Finally, Symantec has noticed that the BlackCat operation has been seen using an older anti-rootkit utility called to terminate antivirus processes.