SYMBOLCOMMON_NAMEaka. SYNONYMS
win.blackbyte (Back to overview)

BlackByte

Ransomware. Uses dropper written in JavaScript to deploy a .NET payload.

References
2022-10-04SophosAndreas Klopsch
@online{klopsch:20221004:remove:a8a9121, author = {Andreas Klopsch}, title = {{Remove All The Callbacks – BlackByte Ransomware Disables EDR Via RTCore64.sys Abuse}}, date = {2022-10-04}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/10/04/blackbyte-ransomware-returns/}, language = {English}, urldate = {2022-10-24} } Remove All The Callbacks – BlackByte Ransomware Disables EDR Via RTCore64.sys Abuse
BlackByte
2022-08-25DarktraceEmma Foulger, Max Heinemeyer
@online{foulger:20220825:detecting:95564b0, author = {Emma Foulger and Max Heinemeyer}, title = {{Detecting the Unknown: Revealing Uncategorized Ransomware Using Darktrace}}, date = {2022-08-25}, organization = {Darktrace}, url = {https://de.darktrace.com/blog/detecting-the-unknown-revealing-uncategorised-ransomware-using-darktrace}, language = {English}, urldate = {2022-08-30} } Detecting the Unknown: Revealing Uncategorized Ransomware Using Darktrace
BlackByte
2022-07-13NCC GroupRIFT: Research and Intelligence Fusion Team
@online{team:20220713:climbing:eea784b, author = {RIFT: Research and Intelligence Fusion Team}, title = {{Climbing Mount Everest: Black-Byte Bytes Back?}}, date = {2022-07-13}, organization = {NCC Group}, url = {https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/}, language = {English}, urldate = {2022-07-15} } Climbing Mount Everest: Black-Byte Bytes Back?
BlackByte
2022-07-05Trend MicroTrend Micro Research
@online{research:20220705:ransomware:01bdccf, author = {Trend Micro Research}, title = {{Ransomware Spotlight: BlackByte}}, date = {2022-07-05}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/my/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte}, language = {English}, urldate = {2022-07-12} } Ransomware Spotlight: BlackByte
BlackByte
2022-06-23KasperskyNikita Nazarov, Vasily Davydov, Natalya Shornikova, Vladislav Burtsev, Danila Nasonov
@online{nazarov:20220623:hateful:9c6bf9a, author = {Nikita Nazarov and Vasily Davydov and Natalya Shornikova and Vladislav Burtsev and Danila Nasonov}, title = {{The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs (Download Form)}}, date = {2022-06-23}, organization = {Kaspersky}, url = {https://securelist.com/modern-ransomware-groups-ttps/106824/}, language = {English}, urldate = {2022-06-27} } The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs (Download Form)
BlackByte BlackCat Clop Conti Hive LockBit Mespinoza RagnarLocker
2022-06-23KasperskyNikita Nazarov, Vasily Davydov, Natalya Shornikova, Vladislav Burtsev, Danila Nasonov
@techreport{nazarov:20220623:hateful:bae0681, author = {Nikita Nazarov and Vasily Davydov and Natalya Shornikova and Vladislav Burtsev and Danila Nasonov}, title = {{The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs}}, date = {2022-06-23}, institution = {Kaspersky}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf}, language = {English}, urldate = {2022-06-27} } The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs
Conti Hive BlackByte BlackCat Clop LockBit Mespinoza Ragnarok
2022-05-20AdvIntelYelisey Boguslavskiy, Vitali Kremez, Marley Smith
@online{boguslavskiy:20220520:discontinued:de13f97, author = {Yelisey Boguslavskiy and Vitali Kremez and Marley Smith}, title = {{DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape}}, date = {2022-05-20}, organization = {AdvIntel}, url = {https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape}, language = {English}, urldate = {2022-05-25} } DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape
AvosLocker Black Basta BlackByte BlackCat Conti HelloKitty Hive
2022-05-18Cisco TalosHolger Unterbrink
@online{unterbrink:20220518:blackbyte:00c8696, author = {Holger Unterbrink}, title = {{The BlackByte ransomware group is striking users all over the globe}}, date = {2022-05-18}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2022/05/the-blackbyte-ransomware-group-is.html}, language = {English}, urldate = {2022-05-25} } The BlackByte ransomware group is striking users all over the globe
BlackByte
2022-05-17Advanced IntelligenceVitali Kremez, Yelisey Boguslavskiy
@online{kremez:20220517:hydra:16615d9, author = {Vitali Kremez and Yelisey Boguslavskiy}, title = {{Hydra with Three Heads: BlackByte & The Future of Ransomware Subsidiary Groups}}, date = {2022-05-17}, organization = {Advanced Intelligence}, url = {https://www.advintel.io/post/hydra-with-three-heads-blackbyte-the-future-of-ransomware-subsidiary-groups}, language = {English}, urldate = {2022-05-25} } Hydra with Three Heads: BlackByte & The Future of Ransomware Subsidiary Groups
BlackByte Conti
2022-05-03ZscalerJavier Vicente, Brett Stone-Gross
@online{vicente:20220503:analysis:ae8a3cc, author = {Javier Vicente and Brett Stone-Gross}, title = {{Analysis of BlackByte Ransomware's Go-Based Variants}}, date = {2022-05-03}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/analysis-blackbyte-ransomwares-go-based-variants}, language = {English}, urldate = {2022-05-04} } Analysis of BlackByte Ransomware's Go-Based Variants
BlackByte
2022-04-20Bleeping ComputerBill Toulas
@online{toulas:20220420:microsoft:c1073df, author = {Bill Toulas}, title = {{Microsoft Exchange servers hacked to deploy Hive ransomware}}, date = {2022-04-20}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/}, language = {English}, urldate = {2022-04-24} } Microsoft Exchange servers hacked to deploy Hive ransomware
Babuk BlackByte Conti Hive LockFile
2022-04-18AdvIntelVitali Kremez, Yelisey Boguslavskiy
@online{kremez:20220418:enter:2f9b689, author = {Vitali Kremez and Yelisey Boguslavskiy}, title = {{Enter KaraKurt: Data Extortion Arm of Prolific Ransomware Group}}, date = {2022-04-18}, organization = {AdvIntel}, url = {https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group}, language = {English}, urldate = {2022-05-17} } Enter KaraKurt: Data Extortion Arm of Prolific Ransomware Group
AvosLocker BazarBackdoor BlackByte BlackCat Cobalt Strike HelloKitty Hive
2022-02-28TrellixTaylor Mullins
@online{mullins:20220228:trellix:6ab8bac, author = {Taylor Mullins}, title = {{Trellix Global Defenders: Analysis and Protections for BlackByte Ransomware}}, date = {2022-02-28}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/trellix-global-defenders-analysis-and-protections-for-blackbyte-ransomware.html}, language = {English}, urldate = {2022-03-07} } Trellix Global Defenders: Analysis and Protections for BlackByte Ransomware
BlackByte
2022-02-21PICUS SecurityHüseyin Can YÜCEEL
@online{yceel:20220221:ttps:93e181d, author = {Hüseyin Can YÜCEEL}, title = {{TTPs used by BlackByte Ransomware Targeting Critical Infrastructure}}, date = {2022-02-21}, organization = {PICUS Security}, url = {https://www.picussecurity.com/resource/ttps-used-by-blackbyte-ransomware-targeting-critical-infrastructure}, language = {English}, urldate = {2022-02-26} } TTPs used by BlackByte Ransomware Targeting Critical Infrastructure
BlackByte
2022-02-14BleepingComputerSergiu Gatlan
@online{gatlan:20220214:fbi:faaad75, author = {Sergiu Gatlan}, title = {{FBI: BlackByte ransomware breached US critical infrastructure}}, date = {2022-02-14}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/fbi-blackbyte-ransomware-breached-us-critical-infrastructure/}, language = {English}, urldate = {2022-02-16} } FBI: BlackByte ransomware breached US critical infrastructure
BlackByte
2022-02-13The RecordCatalin Cimpanu
@online{cimpanu:20220213:san:4feaacb, author = {Catalin Cimpanu}, title = {{San Francisco 49ers confirm ransomware attack}}, date = {2022-02-13}, organization = {The Record}, url = {https://therecord.media/san-francisco-49ers-confirm-ransomware-attack/}, language = {English}, urldate = {2022-02-14} } San Francisco 49ers confirm ransomware attack
BlackByte
2022-02-11Federal Bureau of Investigation, U.S. Secret Service (USSS)
@techreport{investigation:20220211:joint:3c91f4c, author = {Federal Bureau of Investigation and U.S. Secret Service (USSS)}, title = {{JOINT CYBERSECURITY ADVISORY: Indicators of Compromise Associated with BlackByte Ransomware}}, date = {2022-02-11}, institution = {}, url = {https://www.ic3.gov/Media/News/2022/220211.pdf}, language = {English}, urldate = {2022-02-14} } JOINT CYBERSECURITY ADVISORY: Indicators of Compromise Associated with BlackByte Ransomware
BlackByte
2021-11-30Red CanaryHarrison van Riper
@online{riper:20211130:proxyshell:060517d, author = {Harrison van Riper}, title = {{ProxyShell exploitation leads to BlackByte ransomware}}, date = {2021-11-30}, organization = {Red Canary}, url = {https://redcanary.com/blog/blackbyte-ransomware/}, language = {English}, urldate = {2021-12-06} } ProxyShell exploitation leads to BlackByte ransomware
BlackByte
2021-11-04Deep instinctShaul Vilkomir-Preisman
@online{vilkomirpreisman:20211104:understanding:c22abf4, author = {Shaul Vilkomir-Preisman}, title = {{Understanding the Windows JavaScript Threat Landscape}}, date = {2021-11-04}, organization = {Deep instinct}, url = {https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape}, language = {English}, urldate = {2021-11-19} } Understanding the Windows JavaScript Threat Landscape
STRRAT Griffon BlackByte Houdini Vjw0rm
Yara Rules
[TLP:WHITE] win_blackbyte_auto (20221125 | Detects win.blackbyte.)
rule win_blackbyte_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.blackbyte."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackbyte"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { b8deffffff ffd1 488b08 4889c2 b8cfffffff ffd1 488b08 }
            // n = 7, score = 200
            //   b8deffffff           | dec                 eax
            //   ffd1                 | lea                 eax, [0x166c22]
            //   488b08               | nop                 
            //   4889c2               | dec                 eax
            //   b8cfffffff           | mov                 edi, dword ptr [esp + 0x58]
            //   ffd1                 | dec                 eax
            //   488b08               | mov                 dword ptr [edi + 0x10], ecx

        $sequence_1 = { b8d8ffffff ffd1 488b08 4889c2 b8bdffffff ffd1 488b08 }
            // n = 7, score = 200
            //   b8d8ffffff           | nop                 
            //   ffd1                 | dec                 eax
            //   488b08               | mov                 dword ptr [esp + 0x18], eax
            //   4889c2               | mov                 byte ptr [eax], 0x9d
            //   b8bdffffff           | dec                 eax
            //   ffd1                 | lea                 eax, [0x1d3b4c]
            //   488b08               | dec                 eax

        $sequence_2 = { 772d 4929d1 4829d3 4d89ca 49f7d9 49c1f93f 4c21ca }
            // n = 7, score = 200
            //   772d                 | mov                 eax, 0x66
            //   4929d1               | dec                 eax
            //   4829d3               | mov                 ebx, dword ptr [esp + 0x40]
            //   4d89ca               | dec                 eax
            //   49f7d9               | mov                 esi, dword ptr [esp + 0x50]
            //   49c1f93f             | dec                 esp
            //   4c21ca               | mov                 eax, dword ptr [esp + 0x5e8]

        $sequence_3 = { e8???????? 89f8 b91a000000 e8???????? 4889f0 b926000000 e8???????? }
            // n = 7, score = 200
            //   e8????????           |                     
            //   89f8                 | dec                 eax
            //   b91a000000           | mov                 ecx, dword ptr [esp + 0x1e80]
            //   e8????????           |                     
            //   4889f0               | nop                 dword ptr [eax]
            //   b926000000           | dec                 eax
            //   e8????????           |                     

        $sequence_4 = { 493b6610 0f8688000000 4883ec40 48896c2438 488d6c2438 4889442430 90 }
            // n = 7, score = 200
            //   493b6610             | dec                 eax
            //   0f8688000000         | mov                 dword ptr [esp + 0x600], ecx
            //   4883ec40             | dec                 eax
            //   48896c2438           | lea                 eax, [0x639e1]
            //   488d6c2438           | nop                 
            //   4889442430           | dec                 eax
            //   90                   | mov                 dword ptr [esp + 0xb0], ebx

        $sequence_5 = { 4889c2 b801000000 ffd1 488b08 4889c2 b8c5ffffff ffd1 }
            // n = 7, score = 200
            //   4889c2               | movzx               ebp, byte ptr [esp + 0x7c]
            //   b801000000           | inc                 esp
            //   ffd1                 | mov                 byte ptr [esp + 0x6a], ch
            //   488b08               | inc                 esp
            //   4889c2               | movzx               ebp, byte ptr [esp + 0x7a]
            //   b8c5ffffff           | inc                 esp
            //   ffd1                 | movzx               ebp, byte ptr [esp + 0x82]

        $sequence_6 = { 488b442460 488b5c2428 488d4c2470 bf01000000 4889fe e8???????? }
            // n = 6, score = 200
            //   488b442460           | dec                 eax
            //   488b5c2428           | lea                 edx, [ebx + 1]
            //   488d4c2470           | dec                 eax
            //   bf01000000           | mov                 edi, ecx
            //   4889fe               | dec                 eax
            //   e8????????           |                     

        $sequence_7 = { 488b7c2450 48ffc2 4839d7 7fb3 eba5 b801000000 }
            // n = 6, score = 200
            //   488b7c2450           | dec                 eax
            //   48ffc2               | mov                 eax, dword ptr [esp + 0x40]
            //   4839d7               | mov                 word ptr [edi + ebx], 0x7966
            //   7fb3                 | mov                 byte ptr [edi + ebx + 2], 0x75
            //   eba5                 | mov                 ecx, 2
            //   b801000000           | dec                 ecx

        $sequence_8 = { 4c89c9 0f1f440000 4883f801 747f 4989c0 480fafc2 4831c8 }
            // n = 7, score = 200
            //   4c89c9               | dec                 eax
            //   0f1f440000           | mov                 esi, ecx
            //   4883f801             | dec                 eax
            //   747f                 | mov                 eax, dword ptr [esp + 0x40]
            //   4989c0               | mov                 byte ptr [edi + ebx], 0xbe
            //   480fafc2             | mov                 ecx, 0xa
            //   4831c8               | dec                 ecx

        $sequence_9 = { 735e 0fb6740429 89d7 31f2 01c2 4883ff0d 733d }
            // n = 7, score = 200
            //   735e                 | mov                 dword ptr [ecx + eax], edx
            //   0fb6740429           | dec                 eax
            //   89d7                 | mov                 eax, dword ptr [esp + 0x60]
            //   31f2                 | dec                 eax
            //   01c2                 | mov                 ebx, dword ptr [esp + 0x48]
            //   4883ff0d             | dec                 eax
            //   733d                 | test                ebx, ebx

    condition:
        7 of them and filesize < 9435136
}
Download all Yara Rules