BlackCat’s Exmatter stealer tool is more elusive than its other kits

September 30, 2022
BlackCat Ransomware Exmatter InfoStealer Hacking Kits Data Exfiltration Europe

The BlackCat ransomware group has applied a new kit called the Exmatter stealer tool that allows them to have a new version of the data exfiltration feature for double-extortion campaigns. Based on reports, the newly upgraded tool has been around since BlackCat was discovered in November last year.

According to researchers, the primary objective of the BlackCat ransomware gang appears to be data exfiltration attacks. There is a growing trend of data exfiltration attacks being utilised for double extortion tactics.

 

The Exmatter stealer tool has been upgraded with different functionalities for a more sophisticated attack.

 

The latest update for the Exmatter stealer tool came a couple of months ago. The update featured numerous changes in its functionality, such as the exfiltration of data from a wide array of file types from WebDav and FTP to SFTP.

The newly updated infostealer also offers several options to create a report listing for all processed archives.

In addition, the ransomware developers included an Eraser feature to compromise and corrupt processed files and a ‘Self-destruct’ configuration option to remove and stop if it rims in an invalid landscape.

The BlackCat ransomware group’s information stealing capabilities have been improved by launching a new malware called Eamfo. The ransomware actors utilise this malware to target data and credentials stored in Veeam backups.

The malware links to the Veeam SQL database and steals backup information with an SQL query. Once the threat actors have extracted the targeted credentials, the Eamfo malware will decrypt and display them to an attacker-controlled server.

The latest version of the Exmatter tool is also updated with heavy code refactoring and expands its capabilities to make the current feature stealthier to avoid security solutions and detections.

The BlackCat ransomware has been on a rampage these past several months and shows no signs of slowing down. The group has constantly evolved, changing its features and tactics for every attack.

Therefore, organisations should secure their access points and give their employees proper training against intrusion methods of malicious actors. Businesses and other firms should invest more in cybersecurity solutions for better protection against such attacks.

About the author