A new version of the BlackCat ransomware's data exfiltration tool for double-extortion attacks has been released. Exmatter, the stealer tool, has been in use since BlackCat's initial release in November 2021.
Exmatter Evolution
Symantec researchers (who track the group as Noberus) claim in a report that the ransomware group's focus appears to be on data exfiltration capabilities, which is a critical component of double-extortion attacks.
The exfiltration tool was substantially updated in August, with various changes including the ability to exfiltrate data from a wide range of file types, including FTP and WebDav, to SFTP, and the option to create a report listing all processed files.
It has also added a 'Eraser' feature to corrupt processed files, as well as a 'Self-destruct' configuration option to delete and quit if it runs in a non-valid environment.
New information stealer
The deployment of new malware known as Eamfo, which is specifically designed to target credentials saved in Veeam backups, has increased BlackCat's ability to steal information even further.
Eamfo connects to the Veeam SQL database and uses a SQL query to steal backup credentials. It decrypts and displays credentials to an attacker once they have been extracted.
Along with expanding Exmatter's capabilities, the latest version includes extensive code refactoring to make existing features more stealthy and resistant to detection. In any case, the BlackCat operation terminates antivirus processes with an older anti-rootkit utility.
BlackCat isn't slowing down and appears to be focused on constantly evolving itself with new tools, improvements, and extortion strategies. As a result, organisations are advised to secure access points and train their employees on cybercriminal penetration techniques. Businesses should also invest more in cross-layer detection and response solutions.