December 8, 2023

Noberus ransomware actors are adding weapons to their malware to steal data and credentials from victim networks.

Revised version of the Exmatter data exfiltration tool was seen used with Noberus in ransomware infections, and affiliate using Noberus was detected using Eamfo, the info-stealing malware that connects to the SQL database where a victim’s Veeam backup software installation stores credentials.


The RaaS group Coreid thought to be behind Noberus and its affiliates makes the threat more dangerous than ever as per the Symantec researchers and is known for using the Carbanak malware to steal money, particularly in the banking, hospitality, and retail industries.

Noberus also known as BlackCat and ALPHV is the successor to those malware families. Coreid has continuously updated Noberus since it first emerged, shortly after BlackMatter was retired in a suspected move by the ransomware gang to stay ahead of law enforcement.

Noberus is written in Rust, that can encrypt files on a range of OS and environments, including Windows, VMware ESXi, Debian Linux, and ReadyNAS and Synology storage, Coreid has claimed. The number of victims are likely to be higher.


With the code getting a major update, that includes encryption capabilities on Arm systems, and SAFEMODE, which added more encryption functionality to its Windows build.

Exmatter is being used with BlackMatter. But the data exfiltration tool has been updated and with the latest version being used with the Noberus attacks reducing the number of file types it tries to steal and adding a range of new features.

The Eamfo info-stealer may have been used by attackers alongside the Yanluowang  and  LockBit ransomware families, as well as a new ransomware variant called Monti.

Eamfo connects to a victim’s Veeam software’s SQL database and steals the credentials through a SQL query. Also Veeam vulnerabilities are exploited to steal more information once the attacker came in to the network.


The Noberus attacks that include Eamfo also use GMER, an old rootkit scanner used by ransom groups to kill processes in compromised systems. It’s been used widely now.

Indicators of Compromise

  • ad5002c8a4621efbd354d58a71427c157e4b2805cb86f434d724fc77068f1c40
  • 8c5b108eab6a397bed4c099f13eed52aeeec37cc214423bde07544b44a62e74a
  • 78517fb07ee5292da627c234b26b555413a459f8d7a9641e4a9fcc1099f06a3d
  • 9aa1f37517458d635eae4f9b43cb4770880ea0ee171e7e4ad155bbdee0cbe732
  • df492b4cc7f644ad3e795155926d1fc8ece7327c0c5c8ea45561f24f5110ce54
  • 029dde7c2ec880fb3d3e95e6a8376739b4bc46a0ce24012e064b904e6ecb672c
  • 72f0981f18b969db2781e874d249d8003c07f99786e217f84cf54a148de259cc
  • 18c909a2b8c5e16821d6ef908f56881aa0ecceeaccb5fa1e54995935fcfd12f7
  • e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173
  • ed6275195cf9fd758fb7f8bce868c14dc9e9d6b7aa6f472f714bce5ed7fabf7f
  • 5799d554307906e92749a0c45f21baff28d83b1cedccbf7cb6f2b98ac1b00930

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.