Crooks spreading the Noberus ransomware are adding weapons to their malware to steal data and credentials from compromised networks.
An extensively updated version of the Exmatter data exfiltration tool was seen last month being used with Noberus in ransomware infections, and at least one affiliate using Noberus was detected using Eamfo, the info-stealing malware that connects to the SQL database where a victim’s Veeam backup software installation stores credentials, according to researchers in Symantec’s Threat Hunting Team.
The adoption of the tactics, tools, and procedures (TTPs) by Coreid – the ransomware-as-a-service (RaaS) group thought to be behind Noberus – and its affiliates makes “the threat more dangerous than ever” and the gang’s “continuous development of its ransomware and its affiliate programs indicates that this sophisticated and well-resourced attacker has little intention of going anywhere anytime soon,” the researchers wrote in a report on Thursday.
Coreid – which the Symantec researchers called “one of the most dangerous and active ransomware developers operating at the moment” – is no stranger to security folk, having been around since 2012. The constantly evolving crew became known for using the Carbanak malware to steal money, particularly in the banking, hospitality, and retail industries.
Three members of the gang were collared in 2018, and two years later Coreid switched lanes and launched a RaaS operation that included the notorious Darkside (used in the Colonial Pipeline attack) and later BlackMatter ransomware strains.
Noberus – also known as BlackCat and ALPHV – is the successor to those malware families. Coreid has continuously updated Noberus since it first emerged in November 2021, shortly after BlackMatter was retired in a suspected move by the ransomware gang to stay ahead of law enforcement.
Cisco’s Talos threat intelligence unit in March did a deep dive into BlackCat and its connections to Darkside and BlackMatter.
In Rust they trust
Noberus is written in Rust, an increasingly popular programming language for developers of legit software and malware partly because of its cross-platform nature. The extortionware can encrypt files on a range of operating systems and environments, including Windows, VMware ESXi, Debian Linux, and ReadyNAS and Synology storage, Coreid has claimed.
“The continuous updating and refining of Noberus’ operations shows that Coreid is constantly adapting its ransomware operation to ensure it remains as effective as possible,” the Symantec researchers wrote, noting that an FBI warning in April said that at least 60 organizations around the world have been compromised by Noberus and that “the number of victims now is likely to be many multiples of that.”
A major update to the code came in June, which included encryption capabilities on Arm systems, and SAFEMODE, which added more encryption functionality to its Windows build.
The Symantec researchers say it’s unclear whether Coreid or one of the RaaS affiliates created Exmatter itself, “but its use alongside two different iterations of Coreid’s ransomware [BlackMatter and Noberus] is notable. Its continuous development also underlines the focus of the group on data theft and extortion, and the importance of this element of attacks to ransomware actors now.”
Exmatter was first seen in November 2021 being used with BlackMatter. However, the data exfiltration tool has been heavily updated since, with the latest version – seen being used with the Noberus attacks – reducing the number of file types it tries to steal and adding a range of new features. It also was extensively rewritten and existing features were implemented differently, possibly to avoid detection, the Symantec bods wrote.
The Eamfo info-stealer has been around since at least August 2021 and may have been used by attackers alongside the Yanluowang and LockBit ransomware families, as well as a new ransomware variant called Monti, which the researchers wrote could be based on the leaked Conti source code and is developed by the threat group Miner.
Eamfo connects to a victim’s Veeam software’s SQL database and steals the credentials through a SQL query. Attackers have been known to exploit Veeam products, giving them privilege-escalation capabilities and enabling them to move laterally through victims’ networks to attack more systems and steal more information.
The Noberus attacks that include Eamfo also use GMER, an old rootkit scanner used by ransomware groups to kill processes in compromised systems. These groups’ use of GMER is becoming more frequent and was seen in a Monti attack earlier this month. ®