Cyber Security

Exmatter Instrument Expedites BlackMatter’s Information Exfiltration | Cyware Alerts

BlackMatter ransomware group has been utilizing a brand new knowledge exfiltration instrument designed to speed up info theft. The instrument, named Exmatter, is custom-made by the ransomware group utilizing the DotNet framework.

What’s new?

Symantec’s Threat Hunter group has found the {custom} instrument that steals sure file varieties from chosen directories and uploads them to a server earlier than deploying the ransomware on the sufferer’s community.
  • To steal information, the instrument obtains the names of logical drives on the sufferer’s pc and all file pathnames. Nonetheless, the instrument avoids something underneath sure directories akin to C:Paperwork and Settings, and extra.
  • It solely steals sure particular file varieties, akin to PDFs, spreadsheets, PowerPoints, and Phrase docs, and prefers to focus on information with current LastWriteTime.
  • As soon as exfiltration is completed, the instrument overwrites the preliminary chunk of the file and makes certain to delete any traces of itself from the sufferer’s community.
In response to researchers, the BlackMatter group is related to the Coreid cybercrime group, which is believed to be behind the Darkside ransomware that led to the devastating Colonial Pipeline outage.

A number of variations of the instrument

Symantec has discovered multiple variants of the instrument, implying that the attackers behind it have made efforts to make it extra environment friendly and enhance its performance to hurry up the method of information theft.
  • In one of many variants, the listing to keep away from knowledge was changed with a special tackle on the exclusion checklist. Moreover, the variant has included .xlsm, and .zip file varieties within the inclusion checklist.
  • One other variant features a WebDav consumer and the code construction implies that SFTP is the popular protocol with WebDav appearing as a backup. The WebDav consumer makes use of a set URL.
  • There was one other variant of the {custom} instrument that was noticed with up to date SFTP server info.


The event of a number of variants of the {custom} instrument akin to Exmatter for stealing info exhibits that the BlackMatter group is prioritizing exfiltration actions. By doing this, the stolen info can be utilized as leverage for ransom and even provided at darkish net boards for cash. Due to this fact, organizations are advised to make use of sturdy anti-ransomware options to remain protected.

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *