June 6, 2023

Noberus ransomware actors are adding weapons to their malware to steal data and credentials from victim networks.

Revised version of the Exmatter data exfiltration tool was seen used with Noberus in ransomware infections, and affiliate using Noberus was detected using Eamfo, the info-stealing malware that connects to the SQL database where a victim’s Veeam backup software installation stores credentials.

Advertisements

The RaaS group Coreid thought to be behind Noberus and its affiliates makes the threat more dangerous than ever as per the Symantec researchers and is known for using the Carbanak malware to steal money, particularly in the banking, hospitality, and retail industries.

Noberus also known as BlackCat and ALPHV is the successor to those malware families. Coreid has continuously updated Noberus since it first emerged, shortly after BlackMatter was retired in a suspected move by the ransomware gang to stay ahead of law enforcement.

Noberus is written in Rust, that can encrypt files on a range of OS and environments, including Windows, VMware ESXi, Debian Linux, and ReadyNAS and Synology storage, Coreid has claimed. The number of victims are likely to be higher.

Advertisements

With the code getting a major update, that includes encryption capabilities on Arm systems, and SAFEMODE, which added more encryption functionality to its Windows build.

Exmatter is being used with BlackMatter. But the data exfiltration tool has been updated and with the latest version being used with the Noberus attacks reducing the number of file types it tries to steal and adding a range of new features.

The Eamfo info-stealer may have been used by attackers alongside the Yanluowang  and  LockBit ransomware families, as well as a new ransomware variant called Monti.

Eamfo connects to a victim’s Veeam software’s SQL database and steals the credentials through a SQL query. Also Veeam vulnerabilities are exploited to steal more information once the attacker came in to the network.

Advertisements

The Noberus attacks that include Eamfo also use GMER, an old rootkit scanner used by ransom groups to kill processes in compromised systems. It’s been used widely now.

Indicators of Compromise

  • ad5002c8a4621efbd354d58a71427c157e4b2805cb86f434d724fc77068f1c40
  • 8c5b108eab6a397bed4c099f13eed52aeeec37cc214423bde07544b44a62e74a
  • 78517fb07ee5292da627c234b26b555413a459f8d7a9641e4a9fcc1099f06a3d
  • 9aa1f37517458d635eae4f9b43cb4770880ea0ee171e7e4ad155bbdee0cbe732
  • df492b4cc7f644ad3e795155926d1fc8ece7327c0c5c8ea45561f24f5110ce54
  • 029dde7c2ec880fb3d3e95e6a8376739b4bc46a0ce24012e064b904e6ecb672c
  • 72f0981f18b969db2781e874d249d8003c07f99786e217f84cf54a148de259cc
  • 18c909a2b8c5e16821d6ef908f56881aa0ecceeaccb5fa1e54995935fcfd12f7
  • e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173
  • ed6275195cf9fd758fb7f8bce868c14dc9e9d6b7aa6f472f714bce5ed7fabf7f
  • 5799d554307906e92749a0c45f21baff28d83b1cedccbf7cb6f2b98ac1b00930
Tags:

Leave a Reply

You may have missed

Byte Code Bites PYPI

Byte Code Bites PYPI

June 5, 2023
Enzo Biochem Suffers a Data Breach

Enzo Biochem Suffers a Data Breach

June 5, 2023
BlackSuit Ransomware Dissection

BlackSuit Ransomware Dissection

June 4, 2023
TheCyberThrone CyberSecurity Newsletter Top 5 Articles – May, 2023

TheCyberThrone CyberSecurity Newsletter Top 5 Articles – May, 2023

June 4, 2023
Cisco buys Armorblox

Cisco buys Armorblox

June 3, 2023
CISA KEV Update Part I – May 2023

CISA KEV Update Part I – May 2023

June 3, 2023
%d bloggers like this: