SYMBOLCOMMON_NAMEaka. SYNONYMS
win.blackbyte (Back to overview)

BlackByte


Ransomware. Uses dropper written in JavaScript to deploy a .NET payload.

References
2022-10-04SophosAndreas Klopsch
@online{klopsch:20221004:remove:a8a9121, author = {Andreas Klopsch}, title = {{Remove All The Callbacks – BlackByte Ransomware Disables EDR Via RTCore64.sys Abuse}}, date = {2022-10-04}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/10/04/blackbyte-ransomware-returns/}, language = {English}, urldate = {2022-10-24} } Remove All The Callbacks – BlackByte Ransomware Disables EDR Via RTCore64.sys Abuse
BlackByte
2022-08-25DarktraceEmma Foulger, Max Heinemeyer
@online{foulger:20220825:detecting:95564b0, author = {Emma Foulger and Max Heinemeyer}, title = {{Detecting the Unknown: Revealing Uncategorized Ransomware Using Darktrace}}, date = {2022-08-25}, organization = {Darktrace}, url = {https://de.darktrace.com/blog/detecting-the-unknown-revealing-uncategorised-ransomware-using-darktrace}, language = {English}, urldate = {2022-08-30} } Detecting the Unknown: Revealing Uncategorized Ransomware Using Darktrace
BlackByte
2022-07-13NCC GroupRIFT: Research and Intelligence Fusion Team
@online{team:20220713:climbing:eea784b, author = {RIFT: Research and Intelligence Fusion Team}, title = {{Climbing Mount Everest: Black-Byte Bytes Back?}}, date = {2022-07-13}, organization = {NCC Group}, url = {https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/}, language = {English}, urldate = {2022-07-15} } Climbing Mount Everest: Black-Byte Bytes Back?
BlackByte
2022-07-05Trend MicroTrend Micro Research
@online{research:20220705:ransomware:01bdccf, author = {Trend Micro Research}, title = {{Ransomware Spotlight: BlackByte}}, date = {2022-07-05}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/my/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte}, language = {English}, urldate = {2022-07-12} } Ransomware Spotlight: BlackByte
BlackByte
2022-06-23KasperskyNikita Nazarov, Vasily Davydov, Natalya Shornikova, Vladislav Burtsev, Danila Nasonov
@online{nazarov:20220623:hateful:9c6bf9a, author = {Nikita Nazarov and Vasily Davydov and Natalya Shornikova and Vladislav Burtsev and Danila Nasonov}, title = {{The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs (Download Form)}}, date = {2022-06-23}, organization = {Kaspersky}, url = {https://securelist.com/modern-ransomware-groups-ttps/106824/}, language = {English}, urldate = {2022-06-27} } The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs (Download Form)
BlackByte BlackCat Clop Conti Hive LockBit Mespinoza RagnarLocker
2022-06-23KasperskyNikita Nazarov, Vasily Davydov, Natalya Shornikova, Vladislav Burtsev, Danila Nasonov
@techreport{nazarov:20220623:hateful:bae0681, author = {Nikita Nazarov and Vasily Davydov and Natalya Shornikova and Vladislav Burtsev and Danila Nasonov}, title = {{The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs}}, date = {2022-06-23}, institution = {Kaspersky}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf}, language = {English}, urldate = {2022-06-27} } The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs
Conti Hive BlackByte BlackCat Clop LockBit Mespinoza Ragnarok
2022-05-20AdvIntelYelisey Boguslavskiy, Vitali Kremez, Marley Smith
@online{boguslavskiy:20220520:discontinued:de13f97, author = {Yelisey Boguslavskiy and Vitali Kremez and Marley Smith}, title = {{DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape}}, date = {2022-05-20}, organization = {AdvIntel}, url = {https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape}, language = {English}, urldate = {2022-05-25} } DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape
AvosLocker Black Basta BlackByte BlackCat Conti HelloKitty Hive
2022-05-18Cisco TalosHolger Unterbrink
@online{unterbrink:20220518:blackbyte:00c8696, author = {Holger Unterbrink}, title = {{The BlackByte ransomware group is striking users all over the globe}}, date = {2022-05-18}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2022/05/the-blackbyte-ransomware-group-is.html}, language = {English}, urldate = {2022-05-25} } The BlackByte ransomware group is striking users all over the globe
BlackByte
2022-05-17Advanced IntelligenceVitali Kremez, Yelisey Boguslavskiy
@online{kremez:20220517:hydra:16615d9, author = {Vitali Kremez and Yelisey Boguslavskiy}, title = {{Hydra with Three Heads: BlackByte & The Future of Ransomware Subsidiary Groups}}, date = {2022-05-17}, organization = {Advanced Intelligence}, url = {https://www.advintel.io/post/hydra-with-three-heads-blackbyte-the-future-of-ransomware-subsidiary-groups}, language = {English}, urldate = {2022-05-25} } Hydra with Three Heads: BlackByte & The Future of Ransomware Subsidiary Groups
BlackByte Conti
2022-05-03ZscalerJavier Vicente, Brett Stone-Gross
@online{vicente:20220503:analysis:ae8a3cc, author = {Javier Vicente and Brett Stone-Gross}, title = {{Analysis of BlackByte Ransomware's Go-Based Variants}}, date = {2022-05-03}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/analysis-blackbyte-ransomwares-go-based-variants}, language = {English}, urldate = {2022-05-04} } Analysis of BlackByte Ransomware's Go-Based Variants
BlackByte
2022-04-20Bleeping ComputerBill Toulas
@online{toulas:20220420:microsoft:c1073df, author = {Bill Toulas}, title = {{Microsoft Exchange servers hacked to deploy Hive ransomware}}, date = {2022-04-20}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/}, language = {English}, urldate = {2022-04-24} } Microsoft Exchange servers hacked to deploy Hive ransomware
Babuk BlackByte Conti Hive LockFile
2022-04-18AdvIntelVitali Kremez, Yelisey Boguslavskiy
@online{kremez:20220418:enter:2f9b689, author = {Vitali Kremez and Yelisey Boguslavskiy}, title = {{Enter KaraKurt: Data Extortion Arm of Prolific Ransomware Group}}, date = {2022-04-18}, organization = {AdvIntel}, url = {https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group}, language = {English}, urldate = {2022-05-17} } Enter KaraKurt: Data Extortion Arm of Prolific Ransomware Group
AvosLocker BazarBackdoor BlackByte BlackCat Cobalt Strike HelloKitty Hive
2022-02-28TrellixTaylor Mullins
@online{mullins:20220228:trellix:6ab8bac, author = {Taylor Mullins}, title = {{Trellix Global Defenders: Analysis and Protections for BlackByte Ransomware}}, date = {2022-02-28}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/trellix-global-defenders-analysis-and-protections-for-blackbyte-ransomware.html}, language = {English}, urldate = {2022-03-07} } Trellix Global Defenders: Analysis and Protections for BlackByte Ransomware
BlackByte
2022-02-21PICUS SecurityHüseyin Can YÜCEEL
@online{yceel:20220221:ttps:93e181d, author = {Hüseyin Can YÜCEEL}, title = {{TTPs used by BlackByte Ransomware Targeting Critical Infrastructure}}, date = {2022-02-21}, organization = {PICUS Security}, url = {https://www.picussecurity.com/resource/ttps-used-by-blackbyte-ransomware-targeting-critical-infrastructure}, language = {English}, urldate = {2022-02-26} } TTPs used by BlackByte Ransomware Targeting Critical Infrastructure
BlackByte
2022-02-14BleepingComputerSergiu Gatlan
@online{gatlan:20220214:fbi:faaad75, author = {Sergiu Gatlan}, title = {{FBI: BlackByte ransomware breached US critical infrastructure}}, date = {2022-02-14}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/fbi-blackbyte-ransomware-breached-us-critical-infrastructure/}, language = {English}, urldate = {2022-02-16} } FBI: BlackByte ransomware breached US critical infrastructure
BlackByte
2022-02-13The RecordCatalin Cimpanu
@online{cimpanu:20220213:san:4feaacb, author = {Catalin Cimpanu}, title = {{San Francisco 49ers confirm ransomware attack}}, date = {2022-02-13}, organization = {The Record}, url = {https://therecord.media/san-francisco-49ers-confirm-ransomware-attack/}, language = {English}, urldate = {2022-02-14} } San Francisco 49ers confirm ransomware attack
BlackByte
2022-02-11Federal Bureau of Investigation, U.S. Secret Service (USSS)
@techreport{investigation:20220211:joint:3c91f4c, author = {Federal Bureau of Investigation and U.S. Secret Service (USSS)}, title = {{JOINT CYBERSECURITY ADVISORY: Indicators of Compromise Associated with BlackByte Ransomware}}, date = {2022-02-11}, institution = {}, url = {https://www.ic3.gov/Media/News/2022/220211.pdf}, language = {English}, urldate = {2022-02-14} } JOINT CYBERSECURITY ADVISORY: Indicators of Compromise Associated with BlackByte Ransomware
BlackByte
2021-11-30Red CanaryHarrison van Riper
@online{riper:20211130:proxyshell:060517d, author = {Harrison van Riper}, title = {{ProxyShell exploitation leads to BlackByte ransomware}}, date = {2021-11-30}, organization = {Red Canary}, url = {https://redcanary.com/blog/blackbyte-ransomware/}, language = {English}, urldate = {2021-12-06} } ProxyShell exploitation leads to BlackByte ransomware
BlackByte
2021-11-04Deep instinctShaul Vilkomir-Preisman
@online{vilkomirpreisman:20211104:understanding:c22abf4, author = {Shaul Vilkomir-Preisman}, title = {{Understanding the Windows JavaScript Threat Landscape}}, date = {2021-11-04}, organization = {Deep instinct}, url = {https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape}, language = {English}, urldate = {2021-11-19} } Understanding the Windows JavaScript Threat Landscape
STRRAT Griffon BlackByte Houdini Vjw0rm FIN7
Yara Rules
[TLP:WHITE] win_blackbyte_auto (20230125 | Detects win.blackbyte.)
rule win_blackbyte_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.blackbyte."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackbyte"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488b442418 488b5c2410 e8???????? 488b4c2420 488b01 440f117c2428 488d5c2428 }
            // n = 7, score = 200
            //   488b442418           | mov                 byte ptr [esp + 0x53], ch
            //   488b5c2410           | inc                 esp
            //   e8????????           |                     
            //   488b4c2420           | movzx               ebp, byte ptr [esp + 0x64]
            //   488b01               | inc                 esp
            //   440f117c2428         | mov                 byte ptr [esp + 0x52], ch
            //   488d5c2428           | inc                 esp

        $sequence_1 = { e8???????? 4889442460 48895c2428 e8???????? 440f117c2470 4889442470 48895c2478 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   4889442460           | mov                 byte ptr [eax], 0x7a
            //   48895c2428           | dec                 eax
            //   e8????????           |                     
            //   440f117c2470         | lea                 eax, [0x3dfac]
            //   4889442470           | dec                 eax
            //   48895c2478           | lea                 ebp, [esp + 0x30]

        $sequence_2 = { 488d7101 488935???????? 48c1e104 48895c0a08 488d3c0a 833d????????00 7507 }
            // n = 7, score = 200
            //   488d7101             | xor                 edx, edx
            //   488935????????       |                     
            //   48c1e104             | xor                 ebx, ebx
            //   48895c0a08           | dec                 eax
            //   488d3c0a             | mov                 dword ptr [esp + 0x60], ebp
            //   833d????????00       |                     
            //   7507                 | dec                 eax

        $sequence_3 = { 735c 0fb6740433 89d7 31f2 01c2 4883ff15 }
            // n = 6, score = 200
            //   735c                 | mov                 dword ptr [esp + 0x68], eax
            //   0fb6740433           | dec                 eax
            //   89d7                 | lea                 eax, [0x123825]
            //   31f2                 | dec                 eax
            //   01c2                 | mov                 ecx, ebx
            //   4883ff15             | dec                 eax

        $sequence_4 = { 4881c490000000 c3 31c0 4889d9 e8???????? 90 4889442408 }
            // n = 7, score = 200
            //   4881c490000000       | movzx               edx, byte ptr [esp + 0x57]
            //   c3                   | inc                 esp
            //   31c0                 | add                 edx, eax
            //   4889d9               | mov                 byte ptr [eax + 0xe], dl
            //   e8????????           |                     
            //   90                   | movzx               edx, byte ptr [esp + 0x5d]
            //   4889442408           | inc                 esp

        $sequence_5 = { 488d7818 488b4c2460 e8???????? 488b4c2420 48894810 833d????????00 7512 }
            // n = 7, score = 200
            //   488d7818             | dec                 eax
            //   488b4c2460           | shl                 ecx, 4
            //   e8????????           |                     
            //   488b4c2420           | dec                 eax
            //   48894810             | lea                 ebx, [0x192f35]
            //   833d????????00       |                     
            //   7512                 | dec                 eax

        $sequence_6 = { 488b542450 488b5c2448 4889c7 4889ce 488b442440 c6041f66 b902000000 }
            // n = 7, score = 200
            //   488b542450           | inc                 esp
            //   488b5c2448           | movzx               ebp, byte ptr [esp + 0xc6]
            //   4889c7               | inc                 esp
            //   4889ce               | mov                 byte ptr [esp + 0x7d], ch
            //   488b442440           | inc                 esp
            //   c6041f66             | movzx               ebp, byte ptr [esp + 0xc7]
            //   b902000000           | inc                 esp

        $sequence_7 = { 7534 4889442418 48c744242000000000 488d7c2428 488d7ff0 48896c24f0 488d6c24f0 }
            // n = 7, score = 200
            //   7534                 | mov                 byte ptr [edi + ebx], 0xe9
            //   4889442418           | mov                 ecx, 2
            //   48c744242000000000     | dec    eax
            //   488d7c2428           | mov                 ebx, dword ptr [esp + 0x48]
            //   488d7ff0             | dec                 eax
            //   48896c24f0           | mov                 edi, eax
            //   488d6c24f0           | dec                 eax

        $sequence_8 = { e8???????? 0f1f00 4885c0 0f85d0000000 488b542460 488b5220 488b4218 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   0f1f00               | ret                 
            //   4885c0               | dec                 esp
            //   0f85d0000000         | mov                 edx, dword ptr [esp + 0x128]
            //   488b542460           | dec                 eax
            //   488b5220             | lea                 edi, [0x1f78cf]
            //   488b4218             | movzx               ebx, word ptr [edi + ebx*2]

        $sequence_9 = { 488d5c241a b906000000 e8???????? 488b6c2428 4883c430 c3 89f0 }
            // n = 7, score = 200
            //   488d5c241a           | dec                 eax
            //   b906000000           | mov                 dword ptr [esp + 0x38], ebx
            //   e8????????           |                     
            //   488b6c2428           | dec                 eax
            //   4883c430             | lea                 eax, [0x24ddf9]
            //   c3                   | mov                 ebx, 4
            //   89f0                 | dec                 eax

    condition:
        7 of them and filesize < 9435136
}
Download all Yara Rules