Security researchers have discovered a new data exfiltration tool designed to accelerate information theft for ransomware groups using the BlackMatter variant.
The Symantec Threat Hunter team explained in a new blog post today that the custom tool is the third discovery of its kind, following the development of the Ryuk Stealer tool and the LockBit-linked StealBit.
Dubbed “Exmatter,” it is designed to steal specific file types from selected directories and then upload them to a server under the control of BlackMatter attackers.
This process of whittling down data sources to only those deemed most profitable or business-critical is designed to speed up the whole exfiltration process, presumably so the threat actors can complete their attack stages before being interrupted.
After retrieving the drive names of all logical drives on a victim computer and collecting all file pathnames, Exmatter disregards anything under specific directories such as “C:\Documents and Settings.”
It only exfiltrates specific file types such as PDFs, Word docs, spreadsheets and PowerPoints, and aims to prioritize those for exfiltration using LastWriteTime.
Once exfiltration has been completed, Exmatter looks to overwrite and delete any traces of itself from the victim’s computer.
Symantec said it found various versions of the tool, indicating that its developers have tried to refine its functionality to accelerate the process of data theft as far as possible.
The researchers claimed BlackMatter itself is linked to the “Coreid” cybercrime group, which may have also been responsible for Darkside — the variant that led to the Colonial Pipeline outage.
However, it’s unclear whether Exmatter was developed by this group or one of the many affiliates who use BlackMatter in attacks.
“Like most ransomware actors, attacks linked to Coreid steal victims’ data and the group then threatens to publish it to further pressure victims into paying the ransom demand,” Symantec concluded.
“Whether Exmatter is the creation of Coreid itself or one of its affiliates remains to be seen, but its development suggests that data theft and extortion continues to be a core focus of the group.”
The US authorities issued an alert on BlackMatter in mid-October, after it began to target critical infrastructure providers. One vendor claims it may still help victims of the ransomware variant after finding a bug in its code.