BlackByte, cybercriminal group specializing in Ransomware

img-post
Blog
Cybersecurity

Rédigé par Hana Mekni , 9 September 2024

BlackByte combines proven techniques with recently disclosed vulnerabilities to support its ongoing attacks

  • The BlackByte ransomware group continues to exploit tactics, techniques and procedures (TTPs) that have formed the basis of its methods since its inception, continually adapting its use of vulnerable drivers to bypass security protections and deploying ransomware capable of autonomous, worm-like propagation.
  • BlackByte uses techniques that deviate from its established methods, such as exploiting the CVE-2024-37085 vulnerability – an authentication bypass flaw in VMware ESXi – shortly after its disclosure, and using a victim’s authorized remote access mechanism rather than deploying a commercial remote administration tool like AnyDesk.
  • A new iteration of BlackByte encryption that adds the ” blackbytent_h ” file extension to encrypted files, drops four vulnerable driver files compared to the three previously observed, and uses the victim’s Active Directory credentials to propagate.
  • The BlackByte group is more active than its data leak site might suggest, where only 20-30% of successful attacks result in an extortion message.

BlackByte is a ransomware-as-a-service (RaaS) group believed to be a branch of the infamous Conti ransomware group. First observed in mid-to-late 2021, their modus operandi includes the use of vulnerable drivers to bypass security controls, the deployment of self-propagating ransomware with worm-like capabilities, and the use of known system binaries (LoLBins) as well as other legitimate commercial tools in their attack chain.

BlackByte has rewritten its ransomware binary over time, with versions programmed in Go, .NET, C++, or a combination of these languages. The group’s apparent efforts to continuously improve its tools, operations and even its data leak site are well documented.

Initial access

In a recent BlackByte ransomware attack, the threat actor gained initial access using valid credentials to access the victim organization’s VPN. Telemetry limitations and the loss of evidence after the ransomware encryption event prevented Team IR from determining whether the credentials had been brute-force obtained on the VPN interface or were already known to the adversary prior to the attack. However, IR Teams has moderate confidence that brute-force authentication facilitated by internet scanning was the initial access vector, based on the following observations:

  • The account initially compromised by the adversary had a basic naming convention and, reportedly, a weak password.
  • The VPN interface interface could have allowed a domain account to authenticate without multi-factor authentication (MFA) if the target account had a specific configuration in Active Directory.
  • BlackByte has a track record of researching and exploiting publicly available vulnerabilities, such as the ProxyShell vulnerability in Microsoft Exchange Server.

Given BlackByte’s history of exploiting publicly available vulnerabilities for initial access, using the VPN for remote access may represent a slight change in technique or could be opportunistic. Using the victim’s VPN for remote access also offers the adversary other advantages, including reduced visibility from the organization’s EDR (endpoint detection and response).

Recognition and enumeration

After gaining initial access to the environment, the adversary managed to elevate his privileges by compromising two accounts at Domain Admin level. One of these accounts was used to access the organization’s VMware vCenter server and, shortly afterwards, create Active Directory domain objects for individual VMware ESXi hypervisors, thereby integrating them into the domain.

The same account was then used to create and add several other accounts to an Active Directory group called “ESX Admins”. IR teams believe this user group was created to exploit vulnerability CVE-2024-37085, an authentication bypass in VMware ESXi known to be used by several ransomware groups. Successful exploitation of this vulnerability grants members of a specific Active Directory group elevated privileges on an ESXi host, enabling control of virtual machines (VMs), modification of host server configuration, and access to system logs, diagnostic tools and performance monitoring.

IR teams observed that the threat actor exploited this vulnerability, which initially received limited attention from the cybersecurity community, within days of its release. This highlights the speed with which ransomware groups like BlackByte can adapt their TTPs to incorporate newly disclosed vulnerabilities, as well as the time and effort invested in identifying potential leads to advance an attack

The threat actor accessed other systems, directories and files within each victim environment using protocols such as Server Message Block (SMB) and Remote Desktop Protocol (RDP). Analysis of system event logs and authentication logs revealed a consistent pattern where the threat actor primarily used NT LAN Manager (NTLM) for authentication, while the organization’s users primarily used Kerberos. This early NTLM-related activity could reflect authentication attacks such as “pass the hash” for lateral movement. Dynamic analysis of the ransomware binary then revealed consistent use of NTLM for authentication by this file as well

Talos IR also observed the execution of a file named atieclxx.exe from the C:\temp\sys\ directory on one of the file servers. The legitimate version of “atieclxx.exe” is normally found in the C:\Windows\System32 directory, where it supports system processes associated with AMD graphics cards. However, when investigating a BlackByte attack, “atieclxx.exe” was executed from the C:\temp\sys directory with the command atieclxx.exe P@$$w0rd123!!!. Given that BlackByte actors are known to favor the string P@$$w0rd when defining account passwords and as input parameters for custom tools, this syntax could indicate attempts to disguise malware – such as their custom data exfiltration tool, ExByte – into a known or legitimate file. IR teams were unable to obtain a copy of the file for analysis.

Finally, the threat actor was observed manipulating security tool configurations via system registry modifications, manually uninstalling EDR from several key systems, and, upon investigation, changing the root password of the organization’s ESXi hosts. Immediately prior to the first sign of file encryption, increased volumes of NTLM authentication attempts and SMB connections were observed between dozens of systems in the environment. This activity was subsequently understood to be characteristic of the ransomware’s self-propagation mechanism.

Data infiltration

The limitations of available telemetry, the effect of the ransomware’s encryption process and the adversary’s off-network staging location during the IR Teams investigation prevented a high-confidence assessment of data exfiltration methods and whether exfiltration had taken place. As mentioned in previous sections, the possible use of BlackByte’s customized data exfiltration tool, ExByte, was observed, but could not be confirmed.

Ransomware execution

Similarities with previous reports

In recent cases, the BlackByte ransomware binary, host.exe, was executed from the same directory – C:\Windows ” – on all victims investigated by teamsIR. The command syntax used by the adversary in each attack – C:\Windows\host.exe -s [chaîne numérique à 8 chiffres] svc– and the behavior of the ransomware binary are consistent with previous analyses of the BlackByteNT binary by Microsoft, DuskRise, Acronis and others. Similarities include :

  • The ransomware binary will not execute without the correct eight-digit numeric string passed to the “-s” parameter. This eight-digit numerical string was the only element of the command syntax that varied between victims. In one attack, the adversary used two different encryptors sequentially, each with its own “-s” parameter value. parameter value, although it’s not clear why multiple encryptors were used.
  • The “svc” parameter causes the ransomware to be installed as a serviceThis seemed to turn an infected system into an additional propagator in the ransomware’s worm-like propagation behavior. SMB and NTLM authentications were observed against hosts accessed after the creation of the ransomware service, resulting in several waves of encryption hours after the initial event.
  • The ransomware binary creates and runs mainly from the “C:\SystemData” directory. Several common files are created in this directory on all BlackByte victims, including a text file called “MsExchangeLog1.log”, which appears to be a process-tracking log where execution steps are recorded as comma-separated values “q”, “w” and “b”, as shown in the following screenshot.
Figure 1: Contents of MsExchangeLog1.log at runtime
Figure 1: Contents of MsExchangeLog1.log at runtime
  • After a successful execution, the ransomware binary executed the command :

/c ping 1.1.1[.]1 -n 10 > Nul & fsutil file setZeroData offset=0 length=503808 c:\windows\host.exe & Del c:\windows\host.exe /F /Q ‘which, after a delay, sets the contents of the file to zero and deletes itself. This general command structure has been observed in various BlackByte tools since 2022.

Innovative observations

IR teams have observed some differences in recent BlackByte attacks. In particular, the encrypted files on all victims have been rewritten with the blackbytent_h file extension, which has not yet appeared in public reports.

This latest version of the encryptor also drops four vulnerable drivers as part of BlackByte’s usual Bring Your Own Vulnerable Driver (BYOVD) technique .

All four drivers were dropped by the encryptor binary in all the BlackByte attacks examined by IR teams, each with a similar naming convention – eight random alphanumeric characters followed by an underscore and an iterative numeric value. Using AM35W2PH as a fictitious example, vulnerable drivers would appear in the same order as :

  • “AM35W2PH ” – RtCore64.sys, a driver originally used by MSI Afterburner, a system overclocking utility.
  • “AM35W2PH_1 ” – DBUtil_2_3.sys, a driver that is part of the Dell Client firmware update utility.
  • “AM35W2PH_2 ” – zamguard64.sys, a driver that is part of the Zemana Anti-Malware (ZAM) application.
  • “AM35W2PH_3 ” – gdrv.sys, a driver that is part of the GIGABYTE Tools software package for GIGABYTE motherboards.

The inclusion of the file zamguard64.sys, also known as Terminator, is particularly interesting due to recent reports from other security researchers on its prevalence, and also because the ransomware binary created two service-related registry keys associated with this file during runtime, then deleted them later in the execution process. Using the same fictitious string above, these registry keys would be :

  • HKLM\SYSTEM\CONTROLSET001\SERVICES\AM35W2PH_2
  • HKLM\SYSTEM\CONTROLSET001\SERVICES\AM35W2PH_2\SECURITY

During dynamic analysis of several BlackByte ransomware binaries, IR Teams discovered that the file attempted an enumeration of network shares via the function NetShareEnumAll pipe named SRVSVC using specific user accounts associated with the victim. Since this analysis was carried out in a controlled, sandboxed environment, these accounts could only have appeared in network traffic if they were embedded in the ransomware binary itself. This discovery gives IR teams great confidence that the per-victim customization of BlackByte’s ransomware encryptor includes the incorporation of certain forms of stolen credentials into the binary to support its worm-like propagation capability.

Figure 2: Victim identifiers observed during ransomware execution in an isolated sandbox environment
Figure 2: Victim identifiers observed during ransomware execution in an isolated sandbox environment

Other behaviors of interest observed

Other interesting behaviors observed during the dynamic analysis of this version of the ransomware binary include:

  • Communication with msdl.microsoft[.]com via IP address 204.79.197[.]219 at the start of the execution process. This site is associated with the Microsoft Public Symbol Server. BlackByte tools have long been observed downloading and saving debugging symbols directly from Microsoft.
  • Deactivation of anti-virus and anti-spyware protection via the HKLM\SOFTWARE\MICROSOFT\WINDOWS DEFENDERregistry key and addition of the value “*.exe” to the HKLM\SOFTWARE\MICROSOFT\WINDOWS DEFENDER registry key .
  • Removal of system binaries from the “C:\Windows\System32″directory, including “taskmgr.exe”, “perfmon.exe”, “shutdown.exe” and “resmon.exe.

Overview of BYOD use and BlackByte victimology

Figure 3: Top 10 BYOVD exposures by business sector

BlackByte’s victimology is in line with this assessment, with over 32% of known victims coming from the industrial sector (manufacturing).

Figure 4: BlackByte victimology by sector of activity
Figure 4: BlackByte victimology by sector of activity

These figures are likely to be conservative, given the difference between the number of victims published on the BlackByte data leak site over the past six to nine months and the number identified via telemetry and disclosed in public reports. It is unclear why only a limited subset – estimated at between 20% and 30% – of BlackByte’s victims are ultimately published.

Implications for defenders

BlackByte’s progress in programming languages, from C# à Goand more recently to C/C++ in the latest version of its encryptor – BlackByteNT – reflects a deliberate effort to strengthen the resilience of malware against detection and analysis. Complex languages such as C/C++ enable the incorporation of advanced anti-analysis and anti-debugging techniques, observed in BlackByte’s tools during detailed analyses carried out by other security researchers.

The self-propagating nature of the BlackByte encryptor presents additional challenges for defenders. The use of the BYOVD (Bring Your Own Vulnerable Driver) technique accentuates these difficulties, as it can limit the effectiveness of security controls during containment and eradication efforts. However, given that this current version of the encryptor appears to rely on embedded credentials stolen from the victim’s environment, a company-wide reset of user credentials and Kerberos tickets would be highly effective for containment. A review of SMB traffic emanating from the encryptor at runtime will also reveal the specific accounts used to propagate the infection across the network.

From a broader perspective on how ransomware operates, the flexibility inherent in the RaaS (Ransomware-as-a-Service) model model enables threat actors to rapidly counter new defensive strategies developed by cybersecurity experts, by adapting and updating their tools. This creates a perpetual race between cybercriminals and defenders. As BlackByte and other ransomware groups continue to evolve, organizations will need to invest in adaptive and resilient security controls, as well as develop measures capable of keeping pace with a dynamic and diverse threat landscape.

Recommendations for defenders

  • Implement multi-factor authentication (MFA) for all remote access and cloud connections. Prioritize “verified push” as the MFA method over less secure options such as SMS or phone calls.
  • Auditing VPN configuration. Confirm that obsolete VPN policies are removed, and that authentication attempts that do not match a current VPN policy are rejected by default. Restrict VPN access only to necessary network segments and services, limiting exposure of critical assets such as domain controllers.
  • Set up alerts for any changes in privileged groups, such as the creation of new user groups or the addition of accounts to domain administrators. Ensure that administrative privileges are granted only when necessary, and regularly audited thereafter. A Privileged Access Management (PAM) solution can be used to streamline the control and monitoring of privileged accounts.
  • Limit or disable the use of NTLM where possible, and impose more secure authentication methods such as Kerberos instead. Limit the rate of authentication attempts and failures on publicly and internally exposed interfaces to prevent automated authentication scans.
  • Disable SMBv1 and enforce SMB signing and encryption to protect against lateral movement and malware propagation.
  • Deploy EDR clients clients on all systems in the environment. Set up an administrator password on EDR clients to prevent unauthorized manipulation or deletion of the client.
  • Disable supplier accounts and remote access capabilities when not in active use.
  • Create detections for unauthorized configuration changes that may be made on various systems in the environment, including changes to Windows Defender policies, unauthorized modifications to Group Policy Objects, and the creation of unusual scheduled tasks and installed services.
  • Develop and document corporate password reset procedures to ensure that all user credentials can be reset quickly and completely. Include procedures for renewing critical Kerberos tickets in this documentation.
  • Strengthen and patch ESX hosts hosts to reduce the attack surface of these critical servers as much as possible, and ensure that newly discovered vulnerabilities are patched as quickly as possible.

MITRE ATT&CK mapping of TTP News

BlackByte: MITRE ATT&CK mapping of TTP News

IOCs

NOTE: Some IOCs have been retained to avoid potential identification of victims.

RtCore64.sys – 01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd
DBUtil_2_3.sys – 0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5
zamguard64.sys – 543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91
gdrv.sys – 31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427

Numeryx awarded Label France Cybersecurity 2024
We are pleased to announce that the jury for the Label France Cybersecurity has decided to award the LABEL FRANCE CYBERSECURITY 2024, to NUMERYX for the ASGUARD solution, our new-generation firewall. Lire l'article