BlackMatter Group Develops New Tool to Speed Up Data Theft

A team of security researchers discovered a new data exfiltration tool designed by the BlackMatter ransomware group with the capabilities to accelerate data theft. According to a threat hunter team, this is the third discovered custom data exfiltration tool, after the appearance of the Ryuk Stealer tool and the LockBit-linked StealBit. This custom data exfiltration tool, or “Exmatter”, appears to have been developed to steal specific file types from selected directories and upload the files to a BlackMatter attacker-controlled server before implementing the ransomware on the victim’s network.

BlackMatter New Tool

Narrowing down data sources to only those identified as the most profitable or business-critical is designed to speed up the whole exfiltration process allowing threat actors to complete their breach before being interrupted. Once the names of all logical drives are retrieved from the victim’s computer and all file pathnames are collected, Exmatter ignores anything under specific directories such as “C:\Documents and Settings.” The tool exfiltrates certain file types including PDFs, Word docs, spreadsheets, and PowerPoints, and uses LastWriteTime to prioritize files for exfiltration.

Exmatter overwrites and deletes any evidence of itself from the victim’s computer once the exfiltration process is completed. The threat hunter team discovered various versions of the data exfiltration tool, which would indicate that the developer was attempting to fine-tune its functionality to accelerate the data theft process as much as possible.

According to security researchers, BlackMatter is connected to the cybercrime group “Coreid”, which could have been responsible for the creation of the Darkside variant that shut down the Colonial Pipeline. The threat hunter team explains that many of the ransomware group’s attacks connected to Coreid would steal the victim’s data and then threaten to publish the data unless the victims pay the ransom demands.

In mid-October, the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the National Security Agency (NSA) issued an alert regarding BlackMatter after it began targeting critical infrastructure companies. Whether Exmatter was created by Coreid itself or one of its affiliates remains undetermined. However, the development of this tool would suggest the group’s main areas of focus are data theft and extortion, a further indication as to why it’s crucial for companies to stay current with the latest threat landscape.

At SpearTip, our ShadowSpear platform is an unparalleled resource preventing cyber-attacks from impacting your company. With ShadowSpear’s Identify, companies can integrate their current security toolsets and gain 24/7/365 monitoring and detection. Identify provides enhanced visibility across your entire security network and correlates logs from various platforms, devices, and systems with data collected by the ShadowSpear platform. With continuous threat hunting, SpearTip’s SOCs search for emerging indicators of compromise and identify critical vulnerabilities before they can be leveraged by advanced attackers.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.