Cybercrime Gangs Developing Malware For Data Exfiltration

Big cybercrime gangs now have the means and the incentive to invest in R&D, according to Jessica Lyons, reporting in The Register. They have branched out from encrypting victim’s files and demanding a ransom to sensitive information theft, and they are developing custom malware for data exfiltration.

BlackByte and LockBit are among the gangs that offer custom-built tools to their affiliates. An information security analyst at Cisco Talos told The Register that BlackByte’s custom Exbyte exfiltration tool targets Windows hosts written in the Go programming language. It transfers stolen files to an external server or cloud storage service.

According to the analyst, Exbyte uses various evasion techniques to avoid detection by security tools, among them testing whether it is being run in a sandboxed environment.

The notorious LockBit gang, which was busted by international police in February, had its own proprietary “StealBit” malware. According to the analyst, it was created to maximize the efficiency of data exfiltration for LockBit affiliates by shortening the time it took to complete the data theft.

StealBit operated like many legitimate applications. It had a graphical user interface including the ability to drag and drop files.

InfoStealers, tools used by brokers to collect credentials and personal data of victims, are often employed to gain access to targeted networks through valid accounts. The data is then sold as credential dumps on the dark web.

Another trend, according to Cisco Talos, is that ransomware crooks are focusing on defense evasion tactics to increase dwell time in victim networks. They use tools to disable or modify antivirus, endpoint detection, and operating system features that detect ransomware.