Sunday, April 6, 2025
HomeCVE/vulnerabilityBlackByte Hackers Exploiting VMware ESXi Auth Bypass Vulnerability

BlackByte Hackers Exploiting VMware ESXi Auth Bypass Vulnerability

Published on

SIEM as a Service

Follow Us on Google News

BlackByte, a Ransomware-as-a-Service (RaaS) group that surfaced about mid-2021 appears to have traces of Conti’s evolution.

It uses productive sophistication such as bypassing security measures through the use of kernel-level exploited drivers, inducing self-replicating ransomware with worm features, and leveraging living-off-the-lead binaries.

This shows its advances shifting from one programming language or code over to the other Go, .NET, and C++.

- Advertisement - Google News

Cyber security analysts at Cisco Talos discovered that BlackByte hackers have been exploiting VMware ESXi Auth bypass vulnerability.

Technical Analysis

More recent attacks employ VPN credentials for initial access through brute forcing and gain elevated privileges through CVE-2024-37085 in VMWare ESXI.

BlackByte exploits NTLM for internal movement in the network using pass-the-hash methods, hides ransomware (ExByte) as harmless files like “atieclxx.exe”, and launches a ransomware attack (“host.exe”) by passing some command line switches (-s [8-digit string] svc).

The ransomware is deployed as a service and, in this case, spreads via SMB, many of its actions are executed from C:\SystemData, and new files such as ‘MsExchangeLog1.log’ log execution progress.

MsExchangeLog1.log contents mid-execution (Source – Cisco Talos)

BlackByte is also reported to manage Active Directory, add administrative groups called ‘ESX Admins,’ and modify security applications using registry keys.

The group’s data exfiltration methods might exploit their customized tool ExByte, however, these details remain classified due to their off-network staging as well as the collateral damages caused by encryption.

Taking into account only those victims that are publicly available, there is no reason for concern about this group as it seems to have limited activity.

However, recently Cisco Talos’ telemetry which is collected globally has shown some BlackByte activity is not as limited as it appears.

The BlackByte ransomware has upgraded its extension to .blackbytent_h and utilizes the technique of Bring Your Own Vulnerable Driver (BYOVD) on the following four vulnerable drivers:-

  • RtCore64.sys
  • DBUtil_2_3.sys
  • zamguard64.sys
  • gdrv.sys

Current scenario shows that the ransomware self-encrypts and sends a self-destruction command(/c ping 1.1.1[.]1 -n 10 > Nul & fsutil file setZeroData offset=0 length=503808 c:\windows\host.exe & Del c:\windows\host.exe /F /Q), exploits compromise of the network using dumped credentials and the NetShareEnumAll function with ‘SRVSVC’ named pipe, bypassed Windows Defender scanning by altering registry settings (HKLM\SOFTWARE\MICROSOFT\WINDOWS DEFENDER).

The malware deletes system binaries (taskmgr.exe, perfmon.exe, shutdown.exe, resmon.exe), and communicates with msdl.microsoft[.]com (204.79.197[.]219) for debugging symbols, and targets various industries, with manufacturing most affected (32% of victims).

The transition of BlackByte from C# to Go and now C/C++ is a major step forward in order to utilize anti-analysis methods.

The ransomware’s self-propagating nature, BYOVD usage, and custom per-victim compilation pose significant challenges which lead to the introduction of more advanced methods of defense and in some cases even enterprise-wide password changes for the whole organization if better control is required.

Recommendations

Here below we have mentioned all the recommendations:-

  • Implement MFA for remote and cloud access.
  • Audit VPN configurations.
  • Set alerts for privileged group changes.
  • Limit or disable NTLM.
  • Disable SMBv1 and enforce SMB signing.
  • Deploy EDR across all systems.
  • Disable vendor accounts and remote access.
  • Detect unauthorized configuration changes.
  • Document enterprise password reset procedures.
  • Harden and patch ESX hosts.

Download FreeIncident Response Plan Templatefor Your Security Team – Free Download

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Hack The box “Ghost” Challenge Cracked – A Detailed Technical Exploit

Cybersecurity researcher "0xdf" has cracked the "Ghost" challenge on Hack The Box (HTB), a...

Sec-Gemini v1 – Google’s New AI Model for Cybersecurity Threat Intelligence

Google has unveiled Sec-Gemini v1, an AI model designed to redefine cybersecurity operations by...

U.S. Secures Extradition of Rydox Cybercrime Marketplace Admins from Kosovo in Major International Operation

The United States has successfully extradited two Kosovo nationals, Ardit Kutleshi, 26, and Jetmir...

Ivanti Fully Patched Connect Secure RCE Vulnerability That Actively Exploited in the Wild

Ivanti has issued an urgent security advisory for CVE-2025-22457, a critical vulnerability impacting Ivanti...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Sec-Gemini v1 – Google’s New AI Model for Cybersecurity Threat Intelligence

Google has unveiled Sec-Gemini v1, an AI model designed to redefine cybersecurity operations by...

Beware! Weaponized Job Recruitment Emails Spreading BeaverTail and Tropidoor Malware

A concerning malware campaign was disclosed by the AhnLab Security Intelligence Center (ASEC), revealing...

EncryptHub Ransomware Uncovered Through ChatGPT Use and OPSEC Failures

EncryptHub, a rapidly evolving cybercriminal entity, has come under intense scrutiny following revelations of...