![\"BlackByte](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/07\/BlackByte-attack-flow-diagram-1024x514.webp\")
In this blog, we share details of our investigation into the end-to-end attack chain, exposing security weaknesses that the threat actor exploited to advance their attack. As we learned from Microsoft\u2019s tracking of ransomware attacks and the cybercriminal economy<\/a> that enables them, disrupting common attack patterns could stop many of the attacker activities that precede ransomware deployment. This case highlights that common security hygiene practices go a long way in preventing, identifying, and responding to malicious activity as early as possible to mitigate the impact of ransomware attacks. We encourage organizations to follow the outlined mitigation steps, including ensuring that internet-facing assets are up to date and configured securely. We also share indicators of compromise, detection details, and hunting guidance to help organizations identify and respond to these attacks in their environments. <\/p>\n To obtain initial access into the victim\u2019s environment, the threat actor was observed exploiting the ProxyShell vulnerabilities<\/a> CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 on unpatched Microsoft Exchange Servers. The exploitation of these vulnerabilities allowed the threat actor to:<\/p>\n The threat actor was observed operating from the following IP to exploit ProxyShell and access the web shell:<\/p>\n Backdoor<\/strong><\/p>\n After gaining access to a device, the threat actor created the following registry run keys to run a payload each time a user signs in:<\/p>\n The file api-msvc.dll <\/em>(SHA-256: 4a066569113a569a6feb8f44257ac8764ee8f2011765009fdfd82fe3f4b92d3e) was determined to be a backdoor capable of collecting system information, such as the installed antivirus products, device name, and IP address. This information is then sent via HTTP POST request to the following C2 channel:<\/p>\n The organization was not using Microsoft Defender Antivirus, which detects this malware as Trojan:Win32\/Kovter!MSR, as the primary antivirus solution, and the backdoor was allowed to run.<\/p>\n An additional file, api-system.png<\/em>, was identified to have similarities to api-msvc.dll<\/em>. This file behaved like a DLL, had the same default export function, and also leveraged run keys for persistence.<\/p>\n Cobalt Strike Beacon<\/strong><\/p>\n The threat actor leveraged Cobalt Strike to achieve persistence. The file sys.exe <\/em>(SHA-256: 5f37b85687780c089607670040dbb3da2749b91b8adc0aa411fd6280b5fa7103), detected by Microsoft Defender Antivirus as Trojan:Win64\/CobaltStrike!MSR, was determined to be a Cobalt Strike Beacon and was downloaded directly from the file sharing service temp[.]sh<\/em>:<\/p>\n This beacon was configured to communicate with the following C2 channel:<\/p>\n AnyDesk<\/strong><\/strong><\/p>\n Threat actors leverage legitimate remote access tools during intrusions to blend into a victim network. In this case, the threat actor utilized the remote administration tool AnyDesk, to maintain persistence and move laterally within the network. AnyDesk was installed as a service and was run from the following paths:<\/p>\n Successful connections were observed in the AnyDesk log file ad_svc.trace<\/em> involving anonymizer service IP addresses linked to TOR and MULLVAD VPN, a common technique that threat actors employ to obscure their source IP ranges.<\/p>\n We found the presence and execution of the network discovery tool NetScan being used by the threat actor to perform network enumeration using the following file names:<\/p>\n Additionally, execution of AdFind (SHA-256: f157090fd3ccd4220298c06ce8734361b724d80459592b10ac632acc624f455e), an Active Directory reconnaissance tool, was observed in the environment.<\/p>\n Evidence of likely usage of the credential theft tool Mimikatzwas also uncovered through the presence of a related log file mimikatz.log<\/em>. Microsoft IR assesses that Mimikatz was likely used to attain credentials for privileged accounts.<\/p>\n Using compromised domain admin credentials, the threat actor used Remote Desktop Protocol (RDP) and PowerShell remoting to obtain access to other servers in the environment, including domain controllers.<\/p>\n In one server where Microsoft Defender Antivirus was installed, a suspicious file named explorer.exe<\/em> was identified, detected as Trojan:Win64\/WinGoObfusc.LK!MT, and quarantined. However, because tamper protection wasn\u2019t enabled on this server, the threat actor was able to disable the Microsoft Defender Antivirus service, enabling the threat actor to run the file using the following command:<\/p>\n explorer.exe P@$$w0rd<\/p>\n After reverse engineering explorer.exe<\/em>, we determined it to be ExByte, a GoLang-based tool developed and commonly used in BlackByte ransomware attacks for collection and exfiltration of files from victim networks. This tool is capable of enumerating files of interest across the network and, upon execution, creates a log file containing a list of files and associated metadata. Multiple log files were uncovered during the investigation in the path:<\/p>\n Analysis of the binary revealed a list of file extensions that are targeted for enumeration.<\/p>\n Forensic analysis identified a file named data.txt<\/em> that was created and later deleted after ExByte execution. This file contained obfuscated credentials that ExByte leveraged to authenticate to the popular file sharing platform Mega NZ using the platform\u2019s API at:<\/p>\n We also determined that this version of Exbyte was crafted specifically for the victim, as it contained a hardcoded device name belonging to the victim and an internal IP address.<\/p>\n ExByte execution flow<\/strong><\/p>\n Upon execution, ExByte decodes several strings and checks if the process is running with privileged access by reading \\\\.\\PHYSICALDRIVE0<\/em>:<\/p>\n After this access check, explorer.exe<\/em> attempts to read the data.txt<\/em> file in the current location:<\/p>\n Finally, it forms a URL for sign-in to the API of the service MEGA NZ:<\/p>\n On devices where files were successfully encrypted, we identified suspicious executables, detected by Microsoft Defender Antivirus as Trojan:Win64\/BlackByte!MSR, with the following names:<\/p>\n The files were analyzed and determined to be BlackByte 2.0 binaries responsible for encryption across the environment. The binaries require an 8-digit key number to encrypt files.<\/p>\n Two modes of execution were identified:<\/p>\n Depending on the switch (-s<\/em> or -a<\/em>), execution may create the following files:<\/p>\n BlackByte 2.0 ransomware capabilities<\/strong><\/p>\n Some capabilities identified for the BlackByte 2.0 ransomware were:<\/p>\n To guard against BlackByte ransomware attacks, Microsoft recommends the following:<\/p>\nForensic analysis<\/h2>\n
Initial access and privilege escalation<\/h3>\n
\n
\n
Persistence<\/h3>\n
\n\n
\n Registry key<\/td>\n Value name<\/td>\n Value data<\/td>\n<\/tr>\n \n HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run <\/td>\n MsEdgeMsE<\/td>\n rundll32 C:\\Users\\user\\Downloads\\api-msvc.dll,Default <\/td>\n<\/tr>\n \n HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run <\/td>\n MsEdgeMsE<\/td>\n rundll32 C:\\temp\\api-msvc.dll,Default <\/td>\n<\/tr>\n \n HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run <\/td>\n MsEdgeMsE<\/td>\n rundll32 C:\\systemtest\\api-system.png,Default<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n \n
\n
\n
\n
Reconnaissance<\/h3>\n
\n
Credential access<\/h3>\n
Lateral movement<\/h3>\n
Data staging and exfiltration<\/h3>\n
\n
![\"Figure-2.-Binary-analysis-showing-file-extensions-enumerated-by-explorer.exe_\"](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/07\/Figure-2.-Binary-analysis-showing-file-extensions-enumerated-by-explorer.exe_.jpg\")
\n
![](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/07\/Figure-3.-Binary-analysis-showing-explorer.exe-functionality-for-connecting-to-file-sharing-service-MEGA-NZ.webp\")
\n
\n
\nC:\\Windows\\system32\\cmd.exe \/c ping 1.1.1.1 -n 10 > nul & Del <PATH>\\explorer.exe \/F \/Q\n<\/pre>\n<\/div>\n
\n
\n{ \u201ca\u201d:\u201dus0\u201d, \u201cuser\u201d:\u201d<CONTENT FROM data.txt>\u201d\n}\n<\/pre>\n<\/div>\n\n
Data encryption and destruction<\/h3>\n
\n
\n
\n
\n
\n
\n
\n
\n
cmd.exe \/c ping 1.1.1.1 -n 10 > Nul & Del \u201cPATH_TO_BLACKBYTE\u201d \/F \/Q<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n\n
\n
cmd \/c netsh advfirewall set allprofiles state off<\/code><\/li>\n<\/ul>\n<\/li>\n\n
cmd \/c netsh advfirewall firewall set rule group=\u201dFile and Printer Sharing\u201d new enable=Yes<\/code><\/li>\n<\/ul>\n\n
cmd \/c netsh advfirewall firewall set rule group=\u201dNetwork Discovery\u201d new enable=Yes<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n\n
\n
cmd \/c vssadmin Resize ShadowStorge \/For=B:\\ \/On=B:\\ \/MaxSize=401MB<\/code><\/li>\n<\/ul>\n\n
cmd \/c vssadmin Resize ShadowStorage \/For=B:\\ \/On=B:\\ \/MaxSize=UNBOUNDED<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n\n
\n
cmd \/c reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System \/v LocalAccountTokenFilterPolicy \/t REG_DWORD \/d 1 \/f<\/code><\/li>\n<\/ul>\n<\/li>\n\n
cmd \/c reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System \/v EnableLinkedConnections \/t REG_DWORD \/d 1 \/f<\/code><\/li>\n<\/ul>\n\n
cmd \/c reg add HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\FileSystem \/v LongPathsEnabled \/t REG_DWORD \/d 1 \/f<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n\n
\n
\n
\n
Recommendations<\/h2>\n
\n
Conclusion<\/h2>\n