Security researchers have identified a new data exfiltration tool aimed to help ransomware groups using the BlackMatter variant steals information faster. The custom tool is the third of its sort discovered, according to the Symantec Threat Hunter team, following the development of the Ryuk Stealer tool and the LockBit-linked StealBit. It's called "Exmatter," and it's meant to steal specific file types from specific directories before uploading them to a site controlled by BlackMatter attackers.
This method of narrowing down data sources to only those considered most profitable or business-critical is intended to speed up the entire exfiltration process, presumably, so threat actors may finish their attack stages before being interrupted.
Exmatter is obfuscated and compiled as a.NET executable. When run, it looks for the strings "nownd" and "-nownd" in the command line arguments. If either is detected, it uses the "ShowWindow" API like ShowWindow(Process.GetCurrentProcess().MainWindowHandle, 0) to try to conceal its own window. It also excludes files with attributes like FileAttributes.System, FileAttributes.Temporary, and FileAttributes.Directory, as well as files with fewer than 1,024 bytes in size.
Multiple versions of Exmatter have been discovered, implying that the attackers have continued to improve the tool in order to exfiltrate a large number of high-value data in as little time as possible.
The directory "C:Program FilesWindows Defender Advanced Threat ProtectionClassificationConfiguration" on the exclusion list has been replaced with "C:Program FilesWindows Defender Advanced Threat Protection" in a second variant. The file types ".xlsm" and ".zip" have been added to the list of acceptable files. A WebDav client was added to a third version of the note. According to the code structure, SFTP is still the preferred protocol, with WebDav serving as a backup.
BlackMatter is tied to the Coreid cybercriminal organization, which was previously responsible for the Darkside malware. It has been one of the most active targeted ransomware operators in recent months, and its tools have been utilized in a number of high-profile attacks, including the May 2021 Darkside attack on Colonial Pipeline, which disrupted petroleum supply to the US East Coast. Coreid uses a RaaS approach, collaborating with affiliates to carry out ransomware operations and then takes a cut of the profits.
“Like most ransomware actors, attacks linked to Coreid steal victims’ data and the group then threatens to publish it to further pressure victims into paying the ransom demand,” Symantec concluded. “Whether Exmatter is the creation of Coreid itself or one of its affiliates remains to be seen, but its development suggests that data theft and extortion continues to be a core focus of the group.”