In recent months, hackers utilizing the Noberus (also known as BlackCat, ALPHV) ransomware have been using new techniques, tools, and procedures (TTPs), making the situation even more serious.
The usage of a new version of the Exmatter data exfiltration program and the use of Eamfo, information-stealing malware made to steal passwords saved by Veeam backup software, are two of the most prominent recent advances. Noberus is commonly thought to be the successor malware to the Darkside and BlackMatter ransomware variants, which were tracked as Coreid or FIN7, Carbon Spider. In May 2021, the Colonial Pipeline ransomware campaign employed Darkside. Coreid shut down Darkside and replaced it with BlackMatter as a result of the enormous amount of media and law enforcement attention the attack garnered. In its ransomware-as-a-service (RaaS) business, Coreid creates the malware, but affiliates distribute it in exchange for a percentage of the earnings. The various TTPs and attack chains employed in Noberus attacks can occasionally be explained by the ransomware being utilized by various affiliates.
In late August, it was discovered that Noberus ransomware affiliates were employing data-stealing malware created to steal passwords held by Veeam backup software. Credential storage for a variety of systems, including domain controllers and cloud services, is possible with Veeam. To make it easier to back up these devices, the credentials are saved. In order to steal credentials, the ransomware connects to the SQL database where Veeam saves them.
Because Noberus was developed in Rust, which was the first professional ransomware strain to be used in real-world cyberattacks, it attracted attention . Because it is cross-platform, Rust is a preferred language. Noberus, according to Coreid, can encrypt data on the Windows, EXSI, Debian, ReadyNAS, and Synology operating systems as well as other platforms.
Coreid continually modifies its ransomware operation to keep it as efficient as possible according to Symantec, as seen by the regular update and improvement of Noberus’ activities. The Noberus ransomware affected at least 60 companies worldwide between November 2021 and March 2022, according to a warning from the FBI from April 2022; now, the number of victims is likely to be several times higher.
Indicators of Compromise
File hashes (SHA256)
ad5002c8a4621efbd354d58a71427c157e4b2805cb86f434d724fc77068f1c40 – Trojan.Exmatter
8c5b108eab6a397bed4c099f13eed52aeeec37cc214423bde07544b44a62e74a – Ransom.Noberus
78517fb07ee5292da627c234b26b555413a459f8d7a9641e4a9fcc1099f06a3d –Infostealer.Eamfo
9aa1f37517458d635eae4f9b43cb4770880ea0ee171e7e4ad155bbdee0cbe732 –Infostealer.Eamfo
df492b4cc7f644ad3e795155926d1fc8ece7327c0c5c8ea45561f24f5110ce54 –Infostealer.Eamfo
029dde7c2ec880fb3d3e95e6a8376739b4bc46a0ce24012e064b904e6ecb672c –Ransom.Noberus
72f0981f18b969db2781e874d249d8003c07f99786e217f84cf54a148de259cc –Ransom.Noberus
18c909a2b8c5e16821d6ef908f56881aa0ecceeaccb5fa1e54995935fcfd12f7 – GMER Driver
e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173 – GMER
ed6275195cf9fd758fb7f8bce868c14dc9e9d6b7aa6f472f714bce5ed7fabf7f – Masqueraded PAExec
5799d554307906e92749a0c45f21baff28d83b1cedccbf7cb6f2b98ac1b00930 – Masqueraded PAExec
File Names
sync_enc.exe
without_cert.exe
vup.exe
morph.exe
locker.exe
isgmer.exe
kgeyauow.sys
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.
