Emerging around July 2021, BlackByte is a fully featured Ransomware-as-a-Service (RaaS) group that infiltrates organizations and demands hefty ransoms. They employ a strategy known as double extortion, stealing files from the targeted organization and publicly leaking them if the ransom goes unpaid. BlackByte is known for continuously updating and distributing homonymous malware in various versions. The initial implementation of BlackByte was in C#, followed by a Golang version that included a privilege escalation technique exploiting the Bring Your Own Vulnerable Driver (BYOVD) vulnerability. The latest iteration, called BlackByte NT, is written in C++ and incorporates diverse methods to obstruct both static and dynamic analysis of the malware. The primary objective of this new version is to obfuscate the malware’s behavior when under scrutiny.
The evolution of BlackByte showcases their relentless pursuit of refining their malicious capabilities. The latest version, BlackByte NT, employs various tactics, including the dynamic import of APIs using hash-based methods, anti-debug checks, and evasion techniques, such as using syscalls instead of standard Windows API libraries. Furthermore, the malware conducts thorough checks of execution arguments and establishes persistence by registering a new service if the appropriate conditions are met. BlackByte NT employs advanced cryptographic algorithms such as Curve25519 elliptic curve cryptography (ECC), used for asymmetric encryption, and the ChaCha20 algorithm for symmetric file encryption. Like its previous version, the latest variant of the BlackByte malware continues to utilize vulnerable drivers as part of its advanced evasion techniques. Specifically, the malware drops two files, “A3V86HEL” and “A3V86HEL_1,” in the directory C:\SystemData. The file “A3V86HEL” corresponds to the file RTCore64.sys, a kernel mode driver associated with Micro-Star MSI AfterBurner, a graphics card utility. The other file “A3V86HEL_1”, represents DBUtil_2_3.Sys, a driver related to the Dell Client firmware update utility. These drivers can be exploited to escalate privileges within the targeted system and disable security protection products. While the utilization of the RTCore64.sys driver was previously reported in the analysis of the second version of BlackByte, the inclusion of the Dell driver appears to be a distinguishing characteristic of the new variant.
Indicators of Compromise (IOCs):
SHA256 – 02a0a39dbe0dcb5600f4179aeab457bb86965699e45d1d154082b02139dc701d
SHA1 – c0950ebfa3a63c705ca813cfd28364aa1d90bb09
MD5 – bf1f2f3759448a05d3dd92a4f7f042f6
Some recommended mitigations for the new BlackByte variant include keeping software updated, educating users about risks and social engineering techniques, maintaining regular backups, restricting privileges and access, implementing network segmentation, utilizing behavioral analysis and threat detection tools, developing an incident response plan, conducting security awareness training, and performing regular security audits. These measures help protect against known vulnerabilities, detect, and block malicious activities, minimize the impact of ransomware infections, and ensure effective incident response and recovery.