BlackByte Ransomware Exploits VMware ESXi Flaw to Deploy RAT Tool

BlackByte is a ransomware-as-a-service (RaaS) group that was linked to Conti and emerged in late 2021. 

Their sophisticated tactics include exploiting vulnerable drivers, deploying self-propagating ransomware, and utilizing LoLBins along with the commercial tools in their attack chain. 

The group has evolved its ransomware by preparing versions in the following languages:-

  • Go
  • .NET
  • C++

Besides this, BlackByte’s continuous advancement extends to its operations and data leak site.

Recently, cybersecurity researchers at Cisco Talos identified that BlackByte ransomware has been actively exploiting VMware ESXi vulnerability to deploy RAT tools.

Technical analysis

The recent BlackByte ransomware campaigns illustrate that attackers gained initial access using VPNs with valid credentials gained through probably brute-force techniques.

They further penetrated into the network by compromising the accounts of Domain Admins, exploited CVE-2024-37085 associated with the VMware ESXi, and used NTLM authentication for internal network pivoting.

The ransomware was installed as host.exe from the directory C:\Windows\s host.exe -s [8-digit string] svc, which carry out a worm-like bundled encryption feature with the syntax configuration of commands to be used.

It termed the new extension to the four vulnerable drivers it dropped blackbytent_h. It also dropped four vulnerable drivers (RtCore64.sys, DBUtil_2_3.sys, zamguard64.sys, gdrv.sys) which was part of a BYOVD strategy.

This binary was used for stealing the passwords of mounted network shares, it was able to turn off Windows Defender, and it also contacted Microsoft’s symbol server. Attackers have also included the use of a custom possible tool “atieclxx.exe” and modification of registry keys for stealth purposes.

BYOVD exposure (Source – Cisco Talos)

BYOVD (Bring Your Own Vulnerable Driver) attacks pose significant risks to several sectors, but specifically professional, scientific, and technical are the most affected with 15% of vulnerable driver exposure. 

BlackByte victimology by industry vertical (Source – Cisco Talos)

Manufacturing is the most targeted industry of BlackByte ransomware, with 32% of known victims coming from this industry, where C# in BlackByteNT’s earlier evolutions gives way to Go and now C/C++ in the latest malware. 

This evolution helps to improve mechanisms that are robust to evasion and further investigatory checks, applying complex anti-debugging methods. 

The self-propagation ability of the encryptor, along with the BYOVD approach to containment, makes adjusting evasive operations limited. However, enterprise-wide credential and Kerberos ticket resets can effectively mitigate spread.  

The implementation of Ransomware as a Service by BlackByte also makes victims respond very quickly to the new changes in cybersecurity issues and consequently, the security and cyber services have to be very adaptive in nature across many aspects of the attack.

Recommendations

Here below we have mentioned all the recommendations:-

  • MFA Implementation
  • VPN Audit
  • Privilege Alerts
  • Authentication Security
  • SMB Security
  • EDR Deployment
  • Vendor Access
  • Configuration Monitoring
  • Password Reset Procedures
  • ESX Hardening

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here