Wednesday, November 29, 2023

BlackByte 2.0 Ransomware Employs Wide Range of Tools in 5 Days

The rapid rise and sophistication of ransomware enable threat actors to launch attacks more frequently and disrupt businesses and organizations that are lacking adequate preparation.

The researchers at Microsoft Incident Response recently investigated an intrusion in which it’s been the threat actor’s rapid attack progression, caused major disruptions for the victim organization in just five days.

To accomplish their goals, a wide range of tools and techniques were used by the threat actor during those five days to deploy BlackByte 2.0 ransomware.

TTPs Used

Here below we have mentioned all the TTPs used by the threat actor:-

  • Taking advantage of unsecured Microsoft Exchange Servers that are accessible online.
  • Enabling remote access by deploying a web shell.
  • Using existing tools to persist and gather information covertly.
  • For command and control (C2), setting up Cobalt Strike beacons.
  • Combining process hollowing with the utilization of vulnerable drivers to evade defensive mechanisms.
  • To enable long-term persistence, deployment of the backdoors that are custom-developed.
  • Deploying custom-developed tools to collect and exfiltrate data.

Attack chain

Exploiting the following ProxyShell vulnerabilities, the threat actor gained initial access to the victim’s environment through Microsoft Exchange Servers that are unpatched:-

BlackByte attack chain (Source – Microsoft)

By exploiting these vulnerabilities, the threat actor achieved the following abilities:-

  • Gain administrative access to the compromised Exchange host.
  • Retrieve user LegacyDN and SID data through Autodiscover requests.
  • To access the Exchange PowerShell backend, build a valid authentication token.
  • Using the New-MailboxExportRequest cmdlet to create a web shell and mimic domain admin users.

Upon device access, the threat actor established registry run keys to execute payloads upon user login each time. Here below we have mentioned those registry run keys:-

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run  
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run  
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run  

Here, to achieve persistence the threat actor used Cobalt Strike, and the Microsoft Defender Antivirus flagged sys.exe as Trojan:Win64/CobaltStrike!MSR, downloaded from temp[.]sh (hxxps://temp[.]sh/szAyn/sys.exe) which was detected as Cobalt Strike Beacon.

Threat actors use legit remote access tools to blend in, and in this instance, for persistence and lateral movement, AnyDesk was utilized. 

This tool was installed as a service that ran from the following paths:-

  • C:\systemtest\anydesk\AnyDesk.exe
  • C:\Program Files (x86)\AnyDesk\AnyDesk.exe
  • C:\Scripts\AnyDesk.exe

AnyDesk log file ad_svc.trace revealed successful connections with anonymizer service IP addresses associated with:-

  • TOR

It’s been used by threat actors commonly to hide their source IP ranges. Moreover, security analysts detected the utilization of NetScan, a network discovery tool, by the threat actor to conduct network enumeration.

Using the following command the attacker disabled Microsoft Defender Antivirus, allowing them to execute Trojan:Win64/WinGoObfusc.LK!MT file:-

  • explorer.exe P@$$w0rd

Analysts found that explorer.exe is ExByte, a GoLang-based tool used in BlackByte ransomware attacks to collect and steal files from victim networks after reverse engineering it.

Capabilities of BlackByte 2.0 ransomware 

Here below, we have mentioned the capabilities of BlackByte 2.0 ransomware:-

  • Antivirus bypass
  • Process hollowing
  • Modification/disabling of Windows Firewall
  • Modification of volume shadow copies
  • Modification of registry keys/values
  • Additional functionality


Here below, we have mentioned all the recommendations offered by the security researchers at Microsoft Incident Response:-

  • Prioritize patching for internet-exposed devices and establish a robust patch management process.
  • Deploy Microsoft Defender for Endpoint, an EDR solution, for real-time visibility into malicious activity across your network.
  • Enable cloud-based protection and configure your antivirus solution to block threats by ensuring regular updates for antivirus protection.
  • To safeguard against the disabling of Microsoft Defender Antivirus components, make sure to activate tamper protection.
  • Make sure to block all the traffic from the IPs that are listed in the IoC.
  • Make sure to block access from unauthorized public VPN services and incoming traffic from TOR exit nodes.
  • Limit administrative privileges to prevent authorized alterations to the system.

“AI-based email security measures Protect your business From Email Threats!” – Request a Free Demo.


Latest articles

Chrome Zero-Day Vulnerability That Exploited In The Wild

Google has fixed the sixth Chrome zero-day bug that was exploited in the wild this...

Iranian Mobile Banking Malware Steal Login Credentials & Steal OTP Codes

An Android malware campaign was previously discovered that distributed banking trojans targeting four major...

BLUFFS: Six New Attacks that Break Secrecy of Bluetooth Sessions

Six novel Bluetooth attack methods have been discovered, which were named BLUFFS (Bluetooth Forward...

Google Workspace’s Design Flaw Allows Attacker Unauthorized Access

Recent years saw a surge in cloud tech adoption, highlighting the efficiency through tools...

Serial ‘SIM Swapper’ Sentenced to Eight Years in Prison

In a digital age marred by deceit, 25-year-old Amir Hossein Golshan stands as a...

Design Flaw in Domain-Wide Delegation Could Leave Google Workspace Vulnerable to Takeover – Hunters

BOSTON, MASS. and TEL AVIV, ISRAEL, November 28, 2023 - A severe design flaw...

Hackers Behind High-Profile Ransomware Attacks on 71 Countries Arrested

Hackers launched ransomware attacks to extort money from the following two entities by encrypting...
Tushar Subhra Dutta
Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles