How Cyber Attackers Use the Custom-Built Exfiltration Tool BlackMatter

How Cyber Attackers Use the Custom-Built Exfiltration Tool BlackMatter

By Mark Vaitzman

February 24, 2022

Data exfiltration is a tactic that allows cyber attackers to steal sensitive data and extract it outside of the organization. The MITRE ATT&CK framework defines nine different techniques and eight sub-techniques used by cyber attackers for illegitimately exfiltrating data.

In most cases, data exfiltration is used by InfoStealers, banking trojans, spyware, or as part of a ransomware approach known as double extortion.

The most common and hardest to detect means of exfiltrating data is implemented using known (or less known) cloud file sync services like Google Drive and SmartFile – as well as similar open-source services like FreeFileSync. It is also popular to use all-in-one sync tools like Rloader or Cyberduck – which have the built-in ability to work with nearly all file sync services. In this way, attackers can sync all relevant folders to accounts that they have access to.

The other two primary means of exfiltration in cyber attacks are via physical devices – which are easy to protect against by disabling the USB storage ability of endpoints; and using custom-built exfiltration tools – which is the approach we are going to talk about in this blog.

In some cases, even very simple approaches to data exfiltration can be well hidden using simple techniques. To learn more about this, see our recent blog, The Hidden Threats of PUPs.

The MITRE ATT&CK framework defines nine different techniques and eight sub-techniques used by cyber attackers for illegitimately exfiltrating data.

The Sender

Recently, Ransomware gangs have started to use custom-built exfiltration tools more often in their cyber attacks. One of these tools is the rebranded BlackMatter exfiltration tool originally used by the BlackMatter gang, and now also by the BlackCat (aka ALPHV) ransomware threat actor. Way back in November, it was reported that it was shut down due to law enforcement pressure. The following sections provide a deep-dive into the code of the rebranded BlackMatter exfiltration tool, which is both interesting and simple.

Ransomware gangs started to use custom-built exfiltration tools more often in their cyber attacks. One of these tools is the rebranded BlackMatter exfiltration tool

General info:

  • MD5: 0a76e0e59456d310419266270c410936
  • Type: PE32

Metadata:

  • Copyright: 2021
  • Product: sender2
  • Description: sender2
  • Original Name: sender2.exe
  • File Version: 1.0.0.0
  • Compilation workspace/artifact: C:\work\file_sender\sender2\sender2\bin\Release\sender2.pdb
  • Compilation date: 2022:02:02 23:39:17+00:00

The executable is written in .Net.

DetectItEasy
BlackMatter Exfiltration Tool - using DetectItEasy

Behavior Analysis

The main goal of sender.exe is to collect all sensitive data and send it to the attacker before it has been encrypted by bundled ransomware.

The main feature of this tool is a commonly known as the BlackMatter exfiltration tool with some add-ons. Aside from this main feature, the executable has many useless loops and “sleep” periods to avoid detection and keep itself in a state of low-rate activity. All external connections attempts are done to the hardcoded IP 164.92.232[.]192 ports 22 and 443 (SSH and HTTPS).

ProcMon

Communication activity seen in ProcMon

The tool has two methods for exfiltration: SFTP and HTTPS using WebDAV. WebDAV stands for Web Distributed Authoring and Versioning, which is an extension of the HTTP protocol that allows clients to edit remote content. There is also an embedded option to use socks5 using a hardcoded internal IP (10.26.16[.]181) (This is described in detail in the next section.)

Code Analysis

Since it’s .NET, it is easy to reverse! So, let the fun begin.

First, let’s jump into the config section.

This image shows the SFTP user name and password. (Please do not attempt to connect!)

How Cyber Attackers Use the Custom-Built Exfiltration Tool BlackMatter - SFTP User Name and Password

                                            SFTP User Name and Password

Notice that we can see the above-mentioned WebDav extension functionality:

How Cyber Attackers Use the Custom-Built Exfiltration Tool BlackMatter - WebDav Extension Functionality

WebDav Extension Functionality

Now, we can go through the main functions and classes – in order to understand the execution flow.

FilesFinder Class

The FilesFinder class includes functions and helpers to search and build a queue that allows relevant files to be exfiltrated.

The FilesFinder function searches for all relevant files and desired files among all drives of the machine:

How Cyber Attackers Use the Custom-Built Exfiltration Tool BlackMatter - FilesFinder Function

                                                                                                 FilesFinder Function

FileFinder searches for files last modified during a specific period. Quickly jumping to the Main function of the exfiltration tool to check what time period is of interest: First, the tool searches for files modified in the last six months. (from 6 month back to the next 10 years – in fact, it’s just the last 6 months). Then, it attempts to search for files modified between 1 year and 6 years ago (see B, below) – an attempt that can never succeed.

6How Cyber Attackers Use the Custom-Built Exfiltration Tool BlackMatter - Time Period of Last Modification of Files

Time Period of Last Modification of Files

 

There is a logical mistake in the second loop (B). The function expects to find files with the last modified date for the period between 12 and 6 months ago. In this way, it would cover the last year (together with the first loop). It is probably a developer's mistake caused by the “Tab Bug” – an automatic code suggestion for Now.addYears(-6) – which should instead be Now.addMonths(-6)). The function attempts to search the files' last modified date more than 12 months ago (FromPeriod) but lower than 6 years ago (ToPeriod), which is logically impossible. (Look at the Main, FilesFinder and FileChecker functions' explanations in this post.)

Note: In some cases, when exfiltration is unsuccessful, the attacker may attempt to present old, leaked files as “stolen” files. Be aware that in case of using the BlackMatter tool (also known as the ExMatter tool), they attempt to exfiltrate only “fresh” files.

Use the following functionality:

  • GetDrives – Check for all available storage drives on the system. This is part of the System.IO.DriveInfo:

    How Cyber Attackers Use the Custom-Built Exfiltration Tool BlackMatter - GetDrives

   GetDrives

  • CheckDrive – Initiates another process, for actually processing the drive:

    How Cyber Attackers Use the Custom-Built Exfiltration Tool BlackMatter - CheckDrive

         CheckDrive

  • driveProcessor – is the function that calls the above-described procedures for each drive, including FixAccess:

    How Cyber Attackers Use the Custom-Built Exfiltration Tool BlackMatter - driveProcessor

       driveProcessor

  • FixAccess – changes the ownership of the files for NTAccount:

    How Cyber Attackers Use the Custom-Built Exfiltration Tool BlackMatter - FixAccess

  FixAccess

  • Note that FixAccess is set to “true” by default in the config file:

    How Cyber Attackers Use the Custom-Built Exfiltration Tool BlackMatter – FixAccess is set to true by default in config file
  • Set up the queue for uploading the files:

    How Cyber Attackers Use the Custom-Built Exfiltration Tool BlackMatter – Setting up the Queue

       Setting Up the Queue

Now, we will dive a bit deeper into the specific properties of the “desired files.” The File Checker is responsible:

How Cyber Attackers Use the Custom-Built Exfiltration Tool BlackMatter - File Checker

                                                                                                                 File Checker

Follow these steps:

  1. Get an array of all files.
  2. Don’t take System files, Temporary files and Directory files. This means that out of the commonly used attributes, only Read-Only, Hidden and Archive files are taken.
  3. The minimum file size should be more than 4 bytes (nearly everything).

    How Cyber Attackers Use the Custom-Built Exfiltration Tool BlackMatter - Minimum File Size

     Minimum File Size

        4. Use only “goodExtension” files:

How Cyber Attackers Use the Custom-Built Exfiltration Tool BlackMatter - goodExtension file

goodExtension file

        5. Avoid badFileMasks:

How Cyber Attackers Use the Custom-Built Exfiltration Tool BlackMatter - badFileMasks

badFileMasks

        6. The file should be last modified in the requested period we mentioned above. (The first search was for the last six months; then the second loop is useless, due to a developer error.)

        7. Initially, some folders are skipped when processing the drives (badPaths). When processing the drives directories, avoid “badPaths” and elevate permissions.

How Cyber Attackers Use the Custom-Built Exfiltration Tool BlackMatter - badPaths

badPaths

Upload Class

Upload class is responsible for handling the connection and managing the upload of the files. The connection is done via the above-mentioned sftp, or it can use the local proxy if it fails to use the current IP more than three times:

How Cyber Attackers Use the Custom-Built Exfiltration Tool BlackMatter - Connection Function of the Upload Class

Connection Function of the Upload Class

Attempt to use the local proxy socks5 forwarder via 10.26.16[.]181:

How Cyber Attackers Use the Custom-Built Exfiltration Tool BlackMatter - Local Socks5

                                                                                                          Local Socks5

The User and Password have already been mentioned in the config file. Usually when using such exfiltration methods, you can find the credentials in the config file for SFTP, Google Drive, or any other syncing service.

Build the upload files queue:

How Cyber Attackers Use the Custom-Built Exfiltration Tool BlackMatter - Upload Files Queue

                                                                                                      Upload Files Queue

And don’t forget to test your machine connection before starting the upload process. Use the “test” function to test the connection to the internet using duckduckgo[.]com (a hardcoded URL you can see during static analysis).

How Cyber Attackers Use the Custom-Built Exfiltration Tool BlackMatter - Testing the Connection

                                                                                                  Testing the Connection

How Cyber Attackers Use the Custom-Built Exfiltration Tool BlackMatter - Building the Upload Files Queue

  Building the Upload Files Queue

How Cyber Attackers Use the Custom-Built Exfiltration Tool BlackMatter - Upload from the File Location to sftp

  Upload from the File Location to sftp

In a few lines, the Upload does the following:

How Cyber Attackers Use the Custom-Built Exfiltration Tool BlackMatter - Upload

                                                                                                             Upload

WebDav Class

An alternative way of uploading involving getting help from the WebDav http extension. We can see the base URL that just adds “data” as a destination to obtain the exfiltrated data:

WebDav Class An alternative way of uploading involving getting help from the WebDav http extension. We can see the base URL that just adds “data” as a destination to obtain the exfiltrated data:

WebDav Upload URL

Aside from this, there is nothing interesting in the WebDAV class – it’s a classic implementation.

You can see some utilities of the sender, including the execution of the hidden PowerShell to clean up evidence of exfiltration and the tool:

How Cyber Attackers Use the Custom-Built Exfiltration Tool BlackMatter - Utilities

                                                                                                                 Utilities

The sender is logging nearly everything, where it is executed non-hidden:

How Cyber Attackers Use the Custom-Built Exfiltration Tool BlackMatter - Logging

Logging

Here is an example of the resulting errors and actions:

How Cyber Attackers Use the Custom-Built Exfiltration Tool BlackMatter - Example of Resulting Errors

Example of Resulting Errors

Note that the main function also handled several execution flags, like “ShowWindow”:

How Cyber Attackers Use the Custom-Built Exfiltration Tool BlackMatter - ShowWindow

                                                                                                      ShowWindow

To Summarize – Leveraging Rebranded BlackMatter in Cyber Attacks

Looking with this level of detail at Blackmatter – or more specifically, at the rebrand of the BlackMatter tool, which is now used by the BlackCat ransomware gang – can help organizations detect cyber attacks more effectively. Understanding how BlackMatter works allows us to set up detection rules and identify illegitimate activities. For example, at CyberProof we have seen frequently how detection rules can identify major ownership changes for files across the machine.

Understanding how BlackMatter works allows us to set up detection rules and identify illegitimate activities.

Be careful to whitelist only the appropriate file syncing services. It is best to choose a single one to be used by the whole organization and block all others.

Setting up canary files or honeypot folders containing files that nobody should touch should help identify cyber attacks as well. It is better to have different modification time periods for these files, and to exclude these files from file sync services and AntiVirus scanning to avoid False Positives.

To hear more about detection and threat hunting for custom exfiltration tools, gain a greater understanding of BlackMatter, and protect your organization against ransomware double extortion, contact CyperProof’s cyber experts.

Mark Vaitzman
Written by Mark Vaitzman
Mark Vaitzman is a Senior Cyber Security Analyst at CyberProof, where he is involved in investigating and countering threat actors. Mark has an in-depth understanding of information technology - including a specialization in investigating and reporting targeted cyber attacks. In addition to his work at CyberProof, Mark is also a mentor at the National Cyber Program in Israel. Prior to joining CyberProof, Mark was the Managed Defense Services Manager and CSIRT team lead at Nyotron (acquired by Acronis), a leading Endpoint Detection and Response provider. He served in the Israel Defense Forces in a combat battalion as a Network and Information Security Manager. Mark has a degree in Computer Science and Management.