In recent months, hackers utilizing the Noberus (also known as BlackCat, ALPHV) ransomware have been using new techniques, tools, and procedures (TTPs), making the situation even more serious.
The usage of a new version of the Exmatter data exfiltration program and the use of Eamfo, information-stealing malware made to steal passwords saved by Veeam backup software, are two of the most prominent recent advances. Noberus is commonly thought to be the successor malware to the Darkside and BlackMatter ransomware variants, which were tracked as Coreid or FIN7, Carbon Spider. In May 2021, the Colonial Pipeline ransomware campaign employed Darkside. Coreid shut down Darkside and replaced it with BlackMatter as a result of the enormous amount of media and law enforcement attention the attack garnered. In its ransomware-as-a-service (RaaS) business, Coreid creates the malware, but affiliates distribute it in exchange for a percentage of the earnings. The various TTPs and attack chains employed in Noberus attacks can occasionally be explained by the ransomware being utilized by various affiliates.
In late August, it was discovered that Noberus ransomware affiliates were employing data-stealing malware created to steal passwords held by Veeam backup software. Credential storage for a variety of systems, including domain controllers and cloud services, is possible with Veeam. To make it easier to back up these devices, the credentials are saved. In order to steal credentials, the ransomware connects to the SQL database where Veeam saves them.
Because Noberus was developed in Rust, which was the first professional ransomware strain to be used in real-world cyberattacks, it attracted attention . Because it is cross-platform, Rust is a preferred language. Noberus, according to Coreid, can encrypt data on the Windows, EXSI, Debian, ReadyNAS, and Synology operating systems as well as other platforms.
Coreid continually modifies its ransomware operation to keep it as efficient as possible according to Symantec, as seen by the regular update and improvement of Noberus’ activities. The Noberus ransomware affected at least 60 companies worldwide between November 2021 and March 2022, according to a warning from the FBI from April 2022; now, the number of victims is likely to be several times higher.
Indicators of Compromise
File hashes (SHA256)
ad5002c8a4621efbd354d58a71427c157e4b2805cb86f434d724fc77068f1c40 – Trojan.Exmatter
8c5b108eab6a397bed4c099f13eed52aeeec37cc214423bde07544b44a62e74a – Ransom.Noberus
18c909a2b8c5e16821d6ef908f56881aa0ecceeaccb5fa1e54995935fcfd12f7 – GMER Driver
e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173 – GMER
ed6275195cf9fd758fb7f8bce868c14dc9e9d6b7aa6f472f714bce5ed7fabf7f – Masqueraded PAExec
5799d554307906e92749a0c45f21baff28d83b1cedccbf7cb6f2b98ac1b00930 – Masqueraded PAExec
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.