This ransomware can steal your Veeam credentials and encrypt your backups

In recent months, hackers utilizing the Noberus (also known as BlackCat, ALPHV) ransomware have been using new techniques, tools, and procedures (TTPs), making the situation even more serious.

The usage of a new version of the Exmatter data exfiltration program and the use of Eamfo, information-stealing malware made to steal passwords saved by Veeam backup software, are two of the most prominent recent advances. Noberus is commonly thought to be the successor malware to the Darkside and BlackMatter ransomware variants, which were  tracked as Coreid or  FIN7, Carbon Spider. In May 2021, the Colonial Pipeline ransomware campaign employed Darkside. Coreid shut down Darkside and replaced it with BlackMatter as a result of the enormous amount of media and law enforcement attention the attack garnered. In its ransomware-as-a-service (RaaS) business, Coreid creates the malware, but affiliates distribute it in exchange for a percentage of the earnings. The various TTPs and attack chains employed in Noberus attacks can occasionally be explained by the ransomware being utilized by various affiliates.

In late August, it was discovered that  Noberus ransomware affiliates were employing data-stealing malware created to steal passwords held by Veeam backup software. Credential storage for a variety of systems, including domain controllers and cloud services, is possible with Veeam. To make it easier to back up these devices, the credentials are saved. In order to steal credentials, the ransomware  connects to the SQL database where Veeam saves them.

Because Noberus was developed in Rust, which was the first professional ransomware strain to be used in real-world cyberattacks, it attracted attention . Because it is cross-platform, Rust is a preferred language. Noberus, according to Coreid, can encrypt data on the Windows, EXSI, Debian, ReadyNAS, and Synology operating systems as well as other platforms.

Coreid continually modifies its ransomware operation to keep it as efficient as possible according to Symantec, as seen by the regular update and improvement of Noberus’ activities. The Noberus ransomware affected at least 60 companies worldwide between November 2021 and March 2022, according to a warning from the FBI from April 2022; now, the number of victims is likely to be several times higher.

Indicators of Compromise

File hashes (SHA256)

ad5002c8a4621efbd354d58a71427c157e4b2805cb86f434d724fc77068f1c40 – Trojan.Exmatter

8c5b108eab6a397bed4c099f13eed52aeeec37cc214423bde07544b44a62e74a – Ransom.Noberus

78517fb07ee5292da627c234b26b555413a459f8d7a9641e4a9fcc1099f06a3d –Infostealer.Eamfo

9aa1f37517458d635eae4f9b43cb4770880ea0ee171e7e4ad155bbdee0cbe732 –Infostealer.Eamfo

df492b4cc7f644ad3e795155926d1fc8ece7327c0c5c8ea45561f24f5110ce54 –Infostealer.Eamfo

029dde7c2ec880fb3d3e95e6a8376739b4bc46a0ce24012e064b904e6ecb672c –Ransom.Noberus

72f0981f18b969db2781e874d249d8003c07f99786e217f84cf54a148de259cc –Ransom.Noberus

18c909a2b8c5e16821d6ef908f56881aa0ecceeaccb5fa1e54995935fcfd12f7 – GMER Driver

e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173 – GMER

ed6275195cf9fd758fb7f8bce868c14dc9e9d6b7aa6f472f714bce5ed7fabf7f – Masqueraded PAExec

5799d554307906e92749a0c45f21baff28d83b1cedccbf7cb6f2b98ac1b00930 – Masqueraded PAExec

File Names

sync_enc.exe

without_cert.exe

vup.exe

morph.exe

locker.exe

isgmer.exe

kgeyauow.sys