SYMBOLCOMMON_NAMEaka. SYNONYMS
win.blackbyte (Back to overview)

BlackByte


Ransomware. Uses dropper written in JavaScript to deploy a .NET payload.

References
2022-06-23KasperskyNikita Nazarov, Vasily Davydov, Natalya Shornikova, Vladislav Burtsev, Danila Nasonov
@techreport{nazarov:20220623:hateful:bae0681, author = {Nikita Nazarov and Vasily Davydov and Natalya Shornikova and Vladislav Burtsev and Danila Nasonov}, title = {{The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs}}, date = {2022-06-23}, institution = {Kaspersky}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf}, language = {English}, urldate = {2022-06-27} } The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs
Conti Hive BlackByte BlackCat Clop LockBit Mespinoza Ragnarok
2022-06-23KasperskyNikita Nazarov, Vasily Davydov, Natalya Shornikova, Vladislav Burtsev, Danila Nasonov
@online{nazarov:20220623:hateful:9c6bf9a, author = {Nikita Nazarov and Vasily Davydov and Natalya Shornikova and Vladislav Burtsev and Danila Nasonov}, title = {{The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs (Download Form)}}, date = {2022-06-23}, organization = {Kaspersky}, url = {https://securelist.com/modern-ransomware-groups-ttps/106824/}, language = {English}, urldate = {2022-06-27} } The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs (Download Form)
BlackByte BlackCat Clop Conti Hive LockBit Mespinoza RagnarLocker
2022-05-20AdvIntelYelisey Boguslavskiy, Vitali Kremez, Marley Smith
@online{boguslavskiy:20220520:discontinued:de13f97, author = {Yelisey Boguslavskiy and Vitali Kremez and Marley Smith}, title = {{DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape}}, date = {2022-05-20}, organization = {AdvIntel}, url = {https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape}, language = {English}, urldate = {2022-05-25} } DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape
AvosLocker Black Basta BlackByte BlackCat Conti HelloKitty Hive
2022-05-18Cisco TalosHolger Unterbrink
@online{unterbrink:20220518:blackbyte:00c8696, author = {Holger Unterbrink}, title = {{The BlackByte ransomware group is striking users all over the globe}}, date = {2022-05-18}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2022/05/the-blackbyte-ransomware-group-is.html}, language = {English}, urldate = {2022-05-25} } The BlackByte ransomware group is striking users all over the globe
BlackByte
2022-05-17Advanced IntelligenceVitali Kremez, Yelisey Boguslavskiy
@online{kremez:20220517:hydra:16615d9, author = {Vitali Kremez and Yelisey Boguslavskiy}, title = {{Hydra with Three Heads: BlackByte & The Future of Ransomware Subsidiary Groups}}, date = {2022-05-17}, organization = {Advanced Intelligence}, url = {https://www.advintel.io/post/hydra-with-three-heads-blackbyte-the-future-of-ransomware-subsidiary-groups}, language = {English}, urldate = {2022-05-25} } Hydra with Three Heads: BlackByte & The Future of Ransomware Subsidiary Groups
BlackByte Conti
2022-05-03ZscalerJavier Vicente, Brett Stone-Gross
@online{vicente:20220503:analysis:ae8a3cc, author = {Javier Vicente and Brett Stone-Gross}, title = {{Analysis of BlackByte Ransomware's Go-Based Variants}}, date = {2022-05-03}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/analysis-blackbyte-ransomwares-go-based-variants}, language = {English}, urldate = {2022-05-04} } Analysis of BlackByte Ransomware's Go-Based Variants
BlackByte
2022-04-20Bleeping ComputerBill Toulas
@online{toulas:20220420:microsoft:c1073df, author = {Bill Toulas}, title = {{Microsoft Exchange servers hacked to deploy Hive ransomware}}, date = {2022-04-20}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/}, language = {English}, urldate = {2022-04-24} } Microsoft Exchange servers hacked to deploy Hive ransomware
Babuk BlackByte Conti Hive LockFile
2022-04-18AdvIntelVitali Kremez, Yelisey Boguslavskiy
@online{kremez:20220418:enter:2f9b689, author = {Vitali Kremez and Yelisey Boguslavskiy}, title = {{Enter KaraKurt: Data Extortion Arm of Prolific Ransomware Group}}, date = {2022-04-18}, organization = {AdvIntel}, url = {https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group}, language = {English}, urldate = {2022-05-17} } Enter KaraKurt: Data Extortion Arm of Prolific Ransomware Group
AvosLocker BazarBackdoor BlackByte BlackCat Cobalt Strike HelloKitty Hive
2022-02-28TrellixTaylor Mullins
@online{mullins:20220228:trellix:6ab8bac, author = {Taylor Mullins}, title = {{Trellix Global Defenders: Analysis and Protections for BlackByte Ransomware}}, date = {2022-02-28}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/trellix-global-defenders-analysis-and-protections-for-blackbyte-ransomware.html}, language = {English}, urldate = {2022-03-07} } Trellix Global Defenders: Analysis and Protections for BlackByte Ransomware
BlackByte
2022-02-21PICUS SecurityHüseyin Can YÜCEEL
@online{yceel:20220221:ttps:93e181d, author = {Hüseyin Can YÜCEEL}, title = {{TTPs used by BlackByte Ransomware Targeting Critical Infrastructure}}, date = {2022-02-21}, organization = {PICUS Security}, url = {https://www.picussecurity.com/resource/ttps-used-by-blackbyte-ransomware-targeting-critical-infrastructure}, language = {English}, urldate = {2022-02-26} } TTPs used by BlackByte Ransomware Targeting Critical Infrastructure
BlackByte
2022-02-14BleepingComputerSergiu Gatlan
@online{gatlan:20220214:fbi:faaad75, author = {Sergiu Gatlan}, title = {{FBI: BlackByte ransomware breached US critical infrastructure}}, date = {2022-02-14}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/fbi-blackbyte-ransomware-breached-us-critical-infrastructure/}, language = {English}, urldate = {2022-02-16} } FBI: BlackByte ransomware breached US critical infrastructure
BlackByte
2022-02-13The RecordCatalin Cimpanu
@online{cimpanu:20220213:san:4feaacb, author = {Catalin Cimpanu}, title = {{San Francisco 49ers confirm ransomware attack}}, date = {2022-02-13}, organization = {The Record}, url = {https://therecord.media/san-francisco-49ers-confirm-ransomware-attack/}, language = {English}, urldate = {2022-02-14} } San Francisco 49ers confirm ransomware attack
BlackByte
2022-02-11Federal Bureau of Investigation, U.S. Secret Service (USSS)
@techreport{investigation:20220211:joint:3c91f4c, author = {Federal Bureau of Investigation and U.S. Secret Service (USSS)}, title = {{JOINT CYBERSECURITY ADVISORY: Indicators of Compromise Associated with BlackByte Ransomware}}, date = {2022-02-11}, institution = {}, url = {https://www.ic3.gov/Media/News/2022/220211.pdf}, language = {English}, urldate = {2022-02-14} } JOINT CYBERSECURITY ADVISORY: Indicators of Compromise Associated with BlackByte Ransomware
BlackByte
2021-11-30Red CanaryHarrison van Riper
@online{riper:20211130:proxyshell:060517d, author = {Harrison van Riper}, title = {{ProxyShell exploitation leads to BlackByte ransomware}}, date = {2021-11-30}, organization = {Red Canary}, url = {https://redcanary.com/blog/blackbyte-ransomware/}, language = {English}, urldate = {2021-12-06} } ProxyShell exploitation leads to BlackByte ransomware
BlackByte
2021-11-04Deep instinctShaul Vilkomir-Preisman
@online{vilkomirpreisman:20211104:understanding:c22abf4, author = {Shaul Vilkomir-Preisman}, title = {{Understanding the Windows JavaScript Threat Landscape}}, date = {2021-11-04}, organization = {Deep instinct}, url = {https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape}, language = {English}, urldate = {2021-11-19} } Understanding the Windows JavaScript Threat Landscape
STRRAT Griffon BlackByte Houdini Vjw0rm
Yara Rules
[TLP:WHITE] win_blackbyte_auto (20220516 | Detects win.blackbyte.)
rule win_blackbyte_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.blackbyte."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackbyte"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4488ac2489000000 440fb6ac24c4000000 4488ac2488000000 440fb6ac24c5000000 4488ac2487000000 440fb6ac24c6000000 4488ac2486000000 }
            // n = 7, score = 200
            //   4488ac2489000000     | inc                 esp
            //   440fb6ac24c4000000     | movzx    ebp, byte ptr [esp + 0xa4]
            //   4488ac2488000000     | inc                 esp
            //   440fb6ac24c5000000     | mov    byte ptr [esp + 0x6a], ch
            //   4488ac2487000000     | inc                 esp
            //   440fb6ac24c6000000     | mov    byte ptr [esp + 0x6d], ch
            //   4488ac2486000000     | inc                 esp

        $sequence_1 = { b8fbffffff ffd1 488b08 4889c2 b80b000000 ffd1 488b08 }
            // n = 7, score = 200
            //   b8fbffffff           | cmp                 esi, eax
            //   ffd1                 | jae                 0x710
            //   488b08               | dec                 eax
            //   4889c2               | lea                 eax, [0xc0e73]
            //   b80b000000           | dec                 eax
            //   ffd1                 | mov                 ecx, ebx
            //   488b08               | dec                 eax

        $sequence_2 = { b8f6ffffff ffd1 488b08 4889c2 b8e9ffffff ffd1 488b08 }
            // n = 7, score = 200
            //   b8f6ffffff           | mov                 edi, esi
            //   ffd1                 | dec                 esp
            //   488b08               | lea                 eax, [ebx + 1]
            //   4889c2               | dec                 esp
            //   b8e9ffffff           | cmp                 esi, eax
            //   ffd1                 | jae                 0x18ce
            //   488b08               | dec                 eax

        $sequence_3 = { 7ce6 31c0 488d5c241a b937000000 e8???????? 488bac2488000000 4881c490000000 }
            // n = 7, score = 200
            //   7ce6                 | dec                 esp
            //   31c0                 | mov                 esi, eax
            //   488d5c241a           | dec                 esp
            //   b937000000           | cmp                 esi, eax
            //   e8????????           |                     
            //   488bac2488000000     | jae                 0x319
            //   4881c490000000       | dec                 eax

        $sequence_4 = { 4c89642418 4889542420 4889cb 488b8c24d8000000 e8???????? 48898424d8000000 48899c24d0000000 }
            // n = 7, score = 200
            //   4c89642418           | dec                 eax
            //   4889542420           | mov                 dword ptr [eax], 0
            //   4889cb               | dec                 eax
            //   488b8c24d8000000     | lea                 eax, [0x18ce94]
            //   e8????????           |                     
            //   48898424d8000000     | dec                 eax
            //   48899c24d0000000     | mov                 dword ptr [esp + 0x20], eax

        $sequence_5 = { 488b08 4889c2 b822000000 ffd1 488b08 4889c2 b8ffffffff }
            // n = 7, score = 200
            //   488b08               | cmp                 eax, 2
            //   4889c2               | dec                 eax
            //   b822000000           | mov                 edi, eax
            //   ffd1                 | dec                 eax
            //   488b08               | mov                 esi, ecx
            //   4889c2               | dec                 eax
            //   b8ffffffff           | mov                 eax, dword ptr [esp + 0x40]

        $sequence_6 = { b801000000 ffd1 488b08 4889c2 b8edffffff ffd1 488b08 }
            // n = 7, score = 200
            //   b801000000           | mov                 edi, dword ptr [esp + 0x308]
            //   ffd1                 | dec                 eax
            //   488b08               | mov                 dword ptr [edi + 0x10], ecx
            //   4889c2               | dec                 esp
            //   b8edffffff           | mov                 ebx, ebx
            //   ffd1                 | dec                 esp
            //   488b08               | mov                 ecx, ecx

        $sequence_7 = { 7534 4889442418 48c744242000000000 488d7c2428 488d7ff0 48896c24f0 488d6c24f0 }
            // n = 7, score = 200
            //   7534                 | mov                 dword ptr [esp + 0x30], edi
            //   4889442418           | dec                 eax
            //   48c744242000000000     | mov    dword ptr [esp + 0x48], edx
            //   488d7c2428           | dec                 eax
            //   488d7ff0             | mov                 dword ptr [esp + 0x58], esi
            //   48896c24f0           | xor                 eax, eax
            //   488d6c24f0           | dec                 ecx

        $sequence_8 = { 833d????????00 7506 4c890418 eb05 e8???????? 4d8d4301 4c39c1 }
            // n = 7, score = 200
            //   833d????????00       |                     
            //   7506                 | dec                 eax
            //   4c890418             | mov                 ebx, edi
            //   eb05                 | dec                 eax
            //   e8????????           |                     
            //   4d8d4301             | mov                 edi, esi
            //   4c39c1               | dec                 esp

        $sequence_9 = { 4889c2 b806000000 ffd1 488b08 4889c2 b8faffffff ffd1 }
            // n = 7, score = 200
            //   4889c2               | mov                 dword ptr [esp + 0x1a0], ebx
            //   b806000000           | dec                 eax
            //   ffd1                 | mov                 dword ptr [esp + 0x1008], eax
            //   488b08               | dec                 eax
            //   4889c2               | mov                 dword ptr [esp + 0x228], ebx
            //   b8faffffff           | dec                 eax
            //   ffd1                 | mov                 dword ptr [esp + 0x2320], ecx

    condition:
        7 of them and filesize < 9435136
}
Download all Yara Rules