BlackMatter Group Speeds Up Data Theft with New Tool
Security researchers have discovered a new data exfiltration tool designed to accelerate information theft for ransomware groups using the BlackMatter variant.
The Symantec Threat Hunter team explained in a new blog post today that the custom tool is the third discovery of its kind, following the development of the Ryuk Stealer tool and the LockBit-linked StealBit.
Dubbed “Exmatter,” it is designed to steal specific file types from selected directories and then upload them to a server under the control of BlackMatter attackers.
This process of whittling down data sources to only those deemed most profitable or business-critical is designed to speed up the whole exfiltration process, presumably so the threat actors can complete their attack stages before being interrupted.
After retrieving the drive names of all logical drives on a victim computer and collecting all file pathnames, Exmatter disregards anything under specific directories such as “C:Documents and Settings.”
It only exfiltrates specific file types such as PDFs, Word docs, spreadsheets and PowerPoints, and aims to prioritize those for exfiltration using LastWriteTime.
Once exfiltration has been completed, Exmatter looks to overwrite and delete any traces of itself