Microsoft Studies BlackBytes' Operations

Category: Ransomware News | Industry: Global | Source: Microsoft

Insight into BlackByte 2.0's intrusions is revealed by the Microsoft Incident Response team, investigating a five-day intrusion from the group leading to the deployment of their ransomware encryptor. The attack commenced from the exploitation of ProxyShell vulnerabilities recognized as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. Following the exploitation, the threat actors utilized web shells to execute remote commands, established persistence in the registry and with Cobalt Strike, dropping the file sys.exe. Activities following the persistence included reconnaissance, credential access, lateral moment, then data collection and exfiltration.

During reconnaissance, tools like AdFind and NetScan were deployed for network enumeration. Microsoft suspects Mimikatz was employed for credential theft, evident by the "presence of a related log file mimikatz.log." With credentials obtained, lateral movement is assessed to have followed using RDP and PowerShell. Microsoft Defender Antivirus was not deployed on the affected organization aside from one server, capturing suspicious activity from a file named "explorer.exe." Microsoft's analysis revealed the file to be "ExByte," a data collection and exfiltration tool, used by BlackByte operators. Microsoft notes the ExByte executable "was crafted specifically for the victim, as it contained a hardcoded device name belonging to the victim and an internal IP address." Data of interest were exfiltrated to the MEGA cloud storage service and data encryption could then commence.