When you experience a breach, time is crucial. Our 24/7 Security Operations Center responds immediately with precision to eliminate the threat and restore operations.
ShadowSpear® is an unparalleled resource that defends your organizations against advanced cyber threats and attacks 24/7/365.
Your organization has cybersecurity weaknesses and vulnerabilities you don’t yet even know about. They need to be found and found immediately. If you don’t someone else will.
A team of security researchers discovered a new data exfiltration tool designed by the BlackMatter ransomware group with the capabilities to accelerate data theft. According to a threat hunter team, this is the third discovered custom data exfiltration tool, after the appearance of the Ryuk Stealer tool and the LockBit-linked StealBit. This custom data exfiltration tool, or “Exmatter”, appears to have been developed to steal specific file types from selected directories and upload the files to a BlackMatter attacker-controlled server before implementing the ransomware on the victim’s network.
Narrowing down data sources to only those identified as the most profitable or business-critical is designed to speed up the whole exfiltration process allowing threat actors to complete their breach before being interrupted. Once the names of all logical drives are retrieved from the victim’s computer and all file pathnames are collected, Exmatter ignores anything under specific directories such as “C:\Documents and Settings.” The tool exfiltrates certain file types including PDFs, Word docs, spreadsheets, and PowerPoints, and uses LastWriteTime to prioritize files for exfiltration.
Exmatter overwrites and deletes any evidence of itself from the victim’s computer once the exfiltration process is completed. The threat hunter team discovered various versions of the data exfiltration tool, which would indicate that the developer was attempting to fine-tune its functionality to accelerate the data theft process as much as possible.
According to security researchers, BlackMatter is connected to the cybercrime group “Coreid”, which could have been responsible for the creation of the Darkside variant that shut down the Colonial Pipeline. The threat hunter team explains that many of the ransomware group’s attacks connected to Coreid would steal the victim’s data and then threaten to publish the data unless the victims pay the ransom demands.
In mid-October, the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the National Security Agency (NSA) issued an alert regarding BlackMatter after it began targeting critical infrastructure companies. Whether Exmatter was created by Coreid itself or one of its affiliates remains undetermined. However, the development of this tool would suggest the group’s main areas of focus are data theft and extortion, a further indication as to why it’s crucial for companies to stay current with the latest threat landscape.
At SpearTip, our ShadowSpear platform is an unparalleled resource preventing cyber-attacks from impacting your company. With ShadowSpear’s Identify, companies can integrate their current security toolsets and gain 24/7/365 monitoring and detection. Identify provides enhanced visibility across your entire security network and correlates logs from various platforms, devices, and systems with data collected by the ShadowSpear platform. With continuous threat hunting, SpearTip’s SOCs search for emerging indicators of compromise and identify critical vulnerabilities before they can be leveraged by advanced attackers.
If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.
Identify, neutralize, and counter cyberattacks - provide confidence in your security posture
24/7 Breach Response: US/CAN: 833.997.7327
Main Office: 800.236.6550
1714 Deer Tracks Trail, Suite 150
St. Louis, MO 63131
©2024 SpearTip, LLC. All rights reserved.