In order to remain undetected and widen its scope, the BlackCat ransomware team has been observed perfecting its malware arsenal.

Researchers from Symantec noted in a recent report that two noteworthy advancements have been the usage of a new version of the Exmatter data exfiltration tool and Eamfo. It is a information-stealing malware that is made to steal credentials held by Veeam backup software.

BlackCat, also known as ALPHV and Noberus, is linked to a threat known as Coreid (also known as FIN7, Carbanak, or Carbon Spider). Thought to be the rebranded version of DarkSide and BlackMatter. Both of which were shut down last year after a string of high-profile attacks, including one on Colonial Pipeline.

The threat actor is well-known for operating a ransomware-as-a-service (RaaS) operation. In which its core developers solicit the assistance of affiliates to carry out the attacks in exchange for a share of the illegal earnings.

One of the first ransomware strains to be written in Rust was ALPHV, and other families like Hive and Luna. They subsequently followed suit to create and disseminate cross-platform malware.

More than three months after the cybercrime gang was found using unpatched Microsoft Exchange servers as a conduit to distribute ransomware. The group’s tactics, techniques, and procedures (TTPs) have evolved.

Later modifications to the virus’s toolkit added new encryption capabilities that let the malware reboot compromised Windows devices in safe mode to get around security measures.

The Update

The gang “added indexing of stolen data in a July 2022 update, meaning its data leaks websites may be searched by keyword, file type, and more,” according to the researchers.

Exmatter, a data exfiltration tool utilized by BlackCat in its ransomware assaults, has undergone the most recent improvements. The updated version generates a report on all processed files and does more than just collect files with a limited set of extensions. It even corrupts the files.

An information-stealing malware named Eamfo, which is also used in the attack is used to aid privilege escalation. And lateral movement by stealing credentials saved in the Veeam backup programme.

The results are just another proof that ransomware gangs are skilled. They continuously modify and streamline their operations to maintain maximum effectiveness.

The group’s emphasis on data theft and extortion. As well as the significance of this component of assaults for ransomware perpetrators right now. These are highlighted by the group’s ongoing evolution, according to the researchers.

Additionally, BlackCat has lately been seen exploiting the Emotet malware as an initial infection vector. Additionally, there are new members from the now-defunct Conti ransomware organization due to the group’s removal from the threat scene.