BlackByte 3.0 uses vulnerable drivers to compromise systems

Summary

  • Ransomware-as-a-service
  • Written in C\C++
  • Brings vulnerable drivers for privilege escalation
  • Uses syscalls instead of direct calls to WinAPI
  • Injects to the ‘svchost.exe’ process

Introduction

The analyzed BlackByteNT (also known as BlackByte 3.0) sample was spotted in February 2023, and had been already distributed for two weeks by that time.

Being an example of ‘ransomware-as-a-service‘ (RaaS), the threat actors constantly upgrade this malware to keep their customers satisfied. BlackByte ransomware has already seen three major changes. The first version was written in C#, the second in Go, and the third (BlackByteNT) is written in C\C++. Such changes in programming languages have a certain progression in increasing the complexity of the analysis for cybersecurity analytics, also bringing new anti-analysis and anti-debugging techniques.

Technical details

Overview

The sample that was loaded to VirusTotal is an unpacked version of the original BlackByteNT sample, which was packed with the UPX utility. This sample is a PE64 file, written in C\C++ and designed as a console application.

Acronis

Execution

The first thing that BlackByte does is check what arguments are passed to the command line. If none of the checked-for arguments are passed, it terminates the execution.

Acronis

Assuming that one of these parameters is passed, BlackByte loads an encoded string and decodes it using XOR operation and a hardcoded key. The result will be a value, which must be passed to the command line after the given parameter. BlackByte then compares this with the value from the command line. If it differs from this value, execution is terminated.

Acronis

If it matches, execution proceeds. During analysis, we observed the following behavior with different parameters:

-a – inject to ‘svchost.exe’, do not encrypt files
-w – inject ‘svchost.exe’, encrypt files
-s – inject ‘svchost.exe’, encrypt files
-q – do not inject to ‘svchost.exe’, do not encrypt files

One additional argument can be passed after the main parameter – ‘svc’.

Acronis

This will cause BlackByte to create a new thread and use the ‘StartServiceCtrlDispatcherW’ function to register a new service with a random name.

Acronis

This sample doesn’t have a lot of imports, but it decodes their names during execution.

Acronis

Then it stores them in local variables.

Acronis

BlackByte creates four new files in the ‘C:\SystemData’ folder.

Acronis

These files are:

A3V86HEL – RTCore64.sys, a Micro-Star MSI AfterBurner kernel mode driver (CVE-2019-16098).
A3V86HEL_1 – DBUtil_2_3.Sys, a Dell Client firmware update utility driver (CVE-2021-21551).
jxUxd.ico – an icon.
MsExchangeLog1.log – a log file.

The first two files are drivers with vulnerabilities, which can be exploited for escalation of privileges. One of these files, ‘RTCore64.sys,’ has already been used in the BlackByte v2 ransomware.

During execution, BlackByte writes data to the log file, which is probably used to log the execution process.

Acronis

Then it executes ‘svchost.exe’ with the same argument as the sample.

Acronis

After the process is created, BlackByte searches for it with the ‘CreateToolHelp32Snapshot,’ ‘Process32First,’ and ‘Process32Next’ functions for further injection.

Acronis

The initial ransomware process deletes its original file by creating a ‘cmd.exe’ process with the ‘CreateProcessInternalW’ function, using the following command:

Acronis

Then the original process is terminated; further work will be done in the ‘svchost.exe’ process.

File encryption

After the ‘svchost.exe’ process loads its imports, it proceeds to create new threads. It created 14 encryption threads in total, with a start address of ‘00007FF75A6DA630.’

Acronis

Throughout the execution process, BlackByteNT doesn’t call WinAPI functions directly. Instead, it uses syscalls to additionally evade endpoint detection and response (EDR) and antivirus (AV) systems, which monitor user-mode hooks.

Acronis

To encrypt users’ files, BlackByteNT uses an asymmetric Curve25519 elliptic curve cryptography algorithm and symmetric ChaCha20. Both of these algorithms are hardcoded in the sample. To generate a random 32-bytes key for each file it uses the 'CryptGenRandom()’ function.

Acronis

For each file, there will be at least two writing procedures. The first one is to encrypt data. The second one (always 41 bytes in size) adds the BlackByte data, where the first 9 bytes is ‘BLACKBYTE’ string and the other 32 bytes are a key, which is unique for each file.

Acronis

Ransom note

The ransom note ‘BB_Readme_CDXNB8WC.txt’ is dropped in each encrypted folder and opened automatically at the end of encryption. The note contains a personal URL and key to access chat with threat actors, and a link to the data auction.

Acronis

Data leak site

The auction link points to the leak site, where victims’ data is sold.

Acronis

Choosing one of the victims' tabs, we can see some screenshots of victims' files and four different buttons: pay for data, delete data (unavailable), download proof data, and buy data (unavailable).

Acronis

The proof data archive is hosted on the Anonfiles service and has 2.4 GB of stolen data, which anyone with this link can download.

Acronis

Conclusion

As the third version of BlackByte ransomware, the ‘NT’ version continues to use vulnerable drivers to escalate privileges on the victims' machines. Aside from the programming languages, there is a difference in the encryption algorithms between these versions. The first and second versions use AES and RSA to encrypt files, and the ‘NT’ version uses Curve25519 elliptic curve cryptography algorithm and ChaCha20. As this malware operates as ransomware-as-a-service, it is possible that in the future there will be new versions of BlackByte.

Detected by Acronis

Acronis

IoCs

Files

SHA256
Description
02a0a39dbe0dcb5600f4179aeab457bb86965699e45d1d154082b02139dc701d
BlackByteNT sample
01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd
RTCore64.sys
0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5
DBUtil_2_3.Sys

Network indicators

URL
http://jbeg2dct2zhku6c2vwnpxtm2psnjo2xnqvvpoiiwr5hxnc6wrp3uhnad.onion/