Steal(Bit) or exfil, what does it (Ex)Matter? Comparative Analysis of Custom Exfiltration Tools
June 28, 2022
In the proliferation of Ransomware as a Service (RaaS) operations as showcased by our previous blog, “Diving into double extortion campaigns”, tools to aid data exfiltration tactics have become a commodity. In addition to using ubiquitous tools such as Rclone, MegaSync, and FileZilla, ransomware and extortion groups have crafted custom exfiltration tools tailored to their operations. The continued use and development of these custom tools is a testament to their success, often simplifying and accelerating data exfiltration.
In this blog, we will examine two (2) exfiltration toolsets identified during CIFR incident response engagements conducted between the fourth quarter of 2021 and the first quarter of 2022: StealBit and ExMatter. We will provide a comparative and temporal analysis of the tools and the ongoing utilization and development efforts observed over time.
Symantec first publicly described ExMatter in November 2021 and connected the tool with at least one affiliate using the BlackMatter ransomware variant at the time. The presence of a modified version of ExMatter (aka Fendr) was revealed through investigations conducted by Accenture Security during several distinct ransomware incidents. Between the fourth quarter of 2021 and the first quarter of 2022, CIFR incident responders identified BlackMatter and BlackCat ransomware operators using various versions of the tool to aid exfiltration operations, as well as Conti ransomware operators during the same time period.
LockBit, formerly known as ABCD ransomware, was first launched in September 2019. However, it was not until LockBit's v2.0 release in June 2021 that the group developed and utilized the StealBit exfiltration tool in its operations.
During a recent investigation involving the LockBit v2.0 ransomware, Accenture Security discovered that the operators initially attempted to download StealBit from a remote server, but ultimately pivoted to the open-source utility Rclone as attempts to utilize the tool were prevented. This data point is a testament to the group’s versatility as it shows that while the LockBit operators may prefer to use their custom tools, they will ultimately adopt a path of least resistance to achieve their objectives. Furthermore, development efforts for StealBit might have slowed as the more recent compiled versions observed were from the fourth quarter of 2021, which included updates for broader targeting through removal of geolocation restrictions, as well as the removal of creation time-date-stamp.
Industries impacted include the financial services, retail, professional services, and energy sectors, with victims across North America, Europe, and Australia.
Accenture Security assesses with high confidence that the tools are being continuously developed and improved upon by their authors as the more recent samples analyzed include additional features and options for customization. For example, a recent version of ExMatter analyzed during an incident response engagement included specific targeting of CAD files, which suggests the operators may be interested in exfiltrating sensitive intellectual property related to engineering documents or product designs that are common in industrial environments such as the automotive, aviation, and manufacturing sectors.
Both custom exfiltration tools are designed to work on a 32-bit Windows system (Intel 386 or later). Each tool also includes obfuscation techniques that can mask certain data, or code. Important information such as network information of the command-and-control (C2) server address is encrypted in StealBit, while variants of ExMatter's code are protected and obfuscated using ConfuserEx (a free, open-source, .NET code protector), and Themida.
The following table is a comparison summary of the StealBit and ExMatter tools:
<<< Start >>>
<<< End >>>
<<< Start >>>
<<< End >>>
If you have an incident or need additional information on ways to prevent, detect, respond to, or recover from, cyberthreats, contact a member of our CIFR team 24/7/365 by phone 888-RISK-411 or email CIFR.firstname.lastname@example.org.
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter, LinkedIn or visit us at accenture.com/security.
Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this article is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.
Copyright © 2022 Accenture. All rights reserved.