Login
Get a Demo
Become a Partner
SOCRadar® Cyber Intelligence Inc. | Exmatter Tool Provides a New Strategy for Extortion
Table Of Content
Home

Resources

Blog
Eyl 27, 2022
2 Mins Read

Exmatter Tool Provides a New Strategy for Extortion

Data exfiltration malware Exmatter, previously associated with the BlackMatter ransomware gang, now has data corruption capabilities. This could signify a new strategy ransomware affiliates may use in the future.

Although BlackMatter affiliates have been using Exmatter since at least October 2021, this is the first time the malicious tool has been detected with a harmful module.

How Do Attackers Utilize Exmatter? 

When the files are successfully copied to the actor-controlled server in the extortion phase, they are queued to be processed by an Eraser class. 

To corrupt the first file, a randomly sized section at the beginning of the second file is read into a buffer and then written at the start of the first file.

Data corruption technique of Exmatter
Data corruption technique of Exmatter (Source: Stairwell) 

This method could be part of an attempt to avoid ransomware or wiper heuristic-based detection, which may be triggered when using randomly generated data. 

The Tool is Still Under Development 

Researchers found that Exmatter’s data destruction capabilities are probably still in development. 

Due to the lack of a mechanism for clearing the corruption queue, some files may be repeatedly overwritten before the program ends, while others may never have been chosen. 

The Erase function, which creates instances of the Eraser class, does not appear to be fully implemented and improperly decompiles. 

The section length of the second file, which is used to replace the first file, is randomly chosen and might be as little as one byte long. 

Ransomware Landscape Could Change

Most ransomware operations are run as RaaS (ransomware-as-a-service), and affiliates are required to give the developer of the encryption tool a specific percentage of their profit. This strategy establishes the independence of ransomware affiliates from developers because it does not require encryptors and allows affiliates to keep the developer’s share of profit. Additionally, it prevents losing revenue due to flaws that let victims utilize free decryptors

Researchers believe this new data corruption feature is a significant improvement over previous ransomware attacks, and it is anticipated that many threat actors will switch to this strategy.

Related Articles
SOCRadar® Cyber Intelligence Inc. | Major Cyber Attacks in Review: March 2024
Major Cyber Attacks in Review: March 2024
Nis 16, 2024
SOCRadar® Cyber Intelligence Inc. | Cyber Reflections of Iran's Attack on Israel
Cyber Reflections of Iran's Attack on Israel
Nis 15, 2024
SOCRadar® Cyber Intelligence Inc. | Critical PHP Vulnerabilities: Update Now to Prevent Takeovers and Command Injection (CVE-2024-1874, CVE-2024-2756, CVE-2024-3096, CVE-2024-2757)
Critical PHP Vulnerabilities: Update Now to Prevent Takeovers and Command Injection (CVE-2024-1874, CVE-2024-2756, CVE-2024-3096, CVE-2024-2757)
Nis 15, 2024
SOCRadar® Cyber Intelligence Inc. | Critical OS Command Injection Vulnerability in Palo Alto's GlobalProtect Gateway: CVE-2024-3400. The patch is not available yet.
Critical OS Command Injection Vulnerability in Palo Alto's GlobalProtect Gateway: CVE-2024-3400. The patch is not available yet.
Nis 12, 2024
SOCRadar® Cyber Intelligence Inc. | Microsoft’s April 2024 Patch Tuesday, 149 Vulnerabilities Patched, Including 2 Zero-Day Vulnerabilities
Microsoft’s April 2024 Patch Tuesday, 149 Vulnerabilities Patched, Including 2 Zero-Day Vulnerabilities
Nis 10, 2024