One Article Review
| Source |  Fortinet ThreatSignal |
|---|---|
| Identifiant | 7190746 |
| Date de publication | 2022-09-28 18:22:41 (vue: 2022-09-29 02:07:19) |
| Titre | BlackCat Uses Updated Infostealer Tools with File Corruption Capability |
| Texte | FortiGuard Labs is aware of a report the infamous BlackCat ransomware group has updated their infostealer tools. Dubbed Exmatter and Eamfo, the former is a data exfiltration tool which a newer version has a code for file corruption and the latter is a credential lifter for Veeam, which is backup software.Why is this Significant?This is significant because Blackcat is one of the active Ransomware-as-a-Service (RaaS) providers and their newly updated data exfiltration tool "Exmatter" is now capable of making processed files unusable.What is BlackCat?BlackCat, (also known as ALPHV and Noberus), is a relatively new Ransomware-as-a-Service (RaaS) and a ransomware variant with the same name. As a RaaS provider, it develops and offers various tools including ransomware, and recruits affiliates for corporate intrusions, encrypting files on the victim's network and stealing confidential files from it for financial gain. BlackCat ransomware is written in the Rust programming language.FortiGuard Labs previously released Threat Signal on Blackcat. See the Appendix for a link to "Meet Blackcat: New Ransomware Written in Rust on the Block". What is Exmatter?According to security vendor Symantec, Exmatter is a data exfiltration tool that was previously used by a BlackMatter ransomware affiliate. The tool is designed to steal various Microsoft Office files (Word, Excel and PowerPoint) as well as image, email and archive files. It supports FTP, SFTP and WebDav for file transfer of exfiltrated information. The newer version has code to corrupt files.What is Eamfo?Eamfo is a tool to steal credentials from Veeam backup software.What is the Status of Protection?FortiGuard Labs detects reported Exmatter and Eamfo tools with the following AV signatures:MSIL/Agent.DRB!trMSIL/Agent.DRB!tr.spyMSIL/Agent.7AAD!trW32/Crypt!trW32/PossibleThreatPossibleThreatPossibleThreat.PALLAS.HFortiGuard Labs has the following AV protection in place for known BlackCat ransomware:W32/Filecoder_BlackCat.A!tr.ransomW32/Ransom_Win32_BLACKCAT.YNCHH!tr.ransomW32/Ransom_Win32_BLACKCAT.YXCDU!tr.ransomW32/BlackCat.26B0!tr |
| Envoyé | Oui |
| Condensat | 26b0 7aad according active affiliate affiliates alphv also appendix archive aware backup because blackcat blackcat: blackmatter block capability capable code confidential corporate corrupt corruption credential credentials data designed detects develops drb dubbed eamfo email encrypting excel exfiltrated exfiltration exmatter file files financial following former fortiguard from ftp gain group has hfortiguard image including infamous information infostealer intrusions known labs language latter lifter link making meet microsoft name network new newer newly noberus now offers office one pallas place powerpoint previously processed programming protection provider providers raas ransomw32/blackcat ransomw32/ransom ransomware ransomware:w32/filecoder recruits relatively released report reported rust same security see service sftp signal signatures:msil/agent significant software spymsil/agent status steal stealing supports symantec threat tool tools transfer trmsil/agent trw32/crypt trw32/possiblethreatpossiblethreatpossiblethreat unusable updated used uses variant various veeam vendor version victim webdav well what which why win32 word written ynchh yxcdu |
| Tags | Ransomware Tool Threat |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.