Introduction
BlackByte ransomware was first observed in July 2021 and has continued to target customers across various industries and across the globe. BlackByte is a Ransomware as a Service (RaaS) group whose affiliates have previously been known to take advantage of high profile vulnerabilities such as those in Microsoft Exchange for initial access. This type of behavior has been directly observed by the FortiGuard IR team.
The BlackByte ransomware group has continued to adapt to reporting on its behavior and improving the ransomware they provide. Initial version of the BlackByte ransomware had a flaw which allowed for a decryptor to be created, however the BlackByte group patched the issue in later versions. In late Feb 2023 a new version of the BlackByte malware rewritten from Go to C++ was identified by Antonia Cocomazzi[1]. This new version is called BlackByteNT and whilst its implementation may be different to previous versions much of the behavior remains the same.
FortiEDR is able to detect and mitigate the threat of BlackByte ransomware, including BlackByteNT out-of-the-box. This article will provide detail around FortiEDR security events generated as a result of BlackByteNT execution and encryption operations it performs. Also provided are threat hunting queries that can be used for proactively hunting for potential BlackByteNT activity and MITRE ATT&CK mappings to support detection for non-FortiEDR protected endpoints in your environment.
Analysis
To analyze FortiEDR’s ability to detect and mitigate BlackByte ransomware a BlackByteNT sample was detonated in a test environment with FortiEDR in simulation mode. In this configuration FortiEDR detects all activity but does not apply mitigations, this gives the best insight into how FortiEDR detects various malware behavior throughout its execution.
The first event generated from execution of the analyzed BlackByteNT sample was a ‘File Execution’ attempt triggered by the ‘Malicious Executable’ rule from FortiEDR’s ‘Execution Prevention’ policy. This event is generated as the file matches known signatures for a malicious file. Signatures are provided through integration with FortiGuard Threat Intelligence feeds. A screenshot of this event as shown in the Forensics view is shown below in Figure 1.
Figure 1. FortiEDR event triggered by a File Execution attempt associated with execution of the BlackByteNT sample.
Following execution of the main BlackByteNT ransomware executable (named “bb2.exe” during analysis) the BlackByteNT process performs a number of function as outlined in Table 1 below. Details of how FortiEDR can be used to identify much of this behavior is provided in subsequent sections.
|
Behavior |
Description |
Associated MITRE Technique |
|
Writes an executable to ‘C:\SystemData\<7 random alpha numeric chars>’ |
A file containing executable code that is later loaded into a hollowed svchost.exe process. The filename changes between detonations but content remains the same. |
T1027.009 – Obfuscated Files or Information: Embedded Payloads |
|
Writes a driver to ‘C:\SystemData\A3V86HEL’ |
RTCore64.sys driver vulnerable to CVE-2019-16098 used for EDR bypass. This filename is consistent between detonations of this sample. |
|
|
Writes a driver to ‘C:\SystemData\A3V86HEL_1’ |
DBUtil_2_3.sys driver vulnerable to CVE-2021-21551 used for EDR bypass. This filename is consistent between detonations of this sample. |
|
|
Writes a file to ‘C:\SystemData\MsExchangeLog1.log’ |
This file is used by the main BlackByteNT executable as a log for its execution. |
- |
|
Attempt to ping 1.1.1.1 |
The ping command is called through cmd with the args ‘/c ping 1.1.1.1 –n 10 >Nul’. This behavior is often used as a network connectivity check but in this case this is most likely used to add a delay into the execution of subsequent commands. |
- |
|
Zero contents of main ransomware executable on disk using fsutil and then delete file using del |
The following commands are executed through a cmd.exe process spawned by the BlackByteNT executable ‘fsutil file setZeroData offset=0 length=663424 "<path to main exe>" &Del "<path to main exe" /F /Q’. These commands zero the contents of the executable and then delete the file. The file is likely zeroed first to prevent the contents being retrieved from slack space to impede RE efforts. |
|
|
Start the RemoteRegistry service |
This service is used to access the registry of a remote Windows machine. This is likely started to assist with future reinfection and security software discovery. |
|
|
Start the upnphost service |
This service (UPnP Host) is responsible for discovering and communicating with Universal Plug and Play devices on a local network. This is likely started to assist with future reinfection and system discovery. |
|
|
Start the SSDPSRV service |
This service (SSDP Discovery) is responsible for discovering and announcing network devices and services that use the UPnP protocol. This is likely started to assist with future reinfection and system discovery. |
|
|
Start the FDResPub service |
This service is the ‘Function Discovery Resource Publication’ and is responsible for making a Windows endpoint discoverable on a network. This is likely started to assist with future reinfection and system discovery. |
|
|
Start the fdPHost service |
This service (Function Discovery Provider Host) is responsible for enabling the discovery of networked devices through the Function Discovery (FD) protocol. This is likely started to assist with future reinfection and system discovery. |
|
|
Start the swprv service |
This service (Microsoft Software Shadow Copy Provider) is responsible for managing and creating volume shadow copies. Deleting shadow copies is often used by ransomware to inhibit system recovery or dump credentials. No evidence of volume shadow copy being used for either of these functions was detected. |
T1490 – Inhibit System Recovery
|
|
Disable safe recovery and set boot to ignore failures using bcdedit |
These functions are used to disable automatic Windows recovery features which may reduce the impact of ransomware encryption. |
T1490 – Inhibit System Recovery
|
|
Modify registry to EnableLinkedConnections |
Modifying this registry key value will allow a user’s non-elevated token to be linked to their elevated token which forms part of a UAC bypass technique. |
T1548.002 – Abuse Elevation Control Mechanism: Bypass User Account Control |
|
Modify registry to enable LocalAccountTokenFilterPolicy |
Modifying this registry key value will allow local accounts to be used for remote administration on an endpoint. By default only domain administrator accounts can be used for remote administration. |
T1548.002 – Abuse Elevation Control Mechanism: Bypass User Account Control |
|
Create the BlackByte logo icon |
An icon file (nhLyM.ico) is created in the ‘C:\SystemData\’ folder. This icon is applied to encrypted files. |
- |
|
Create and execute a service called ‘A3V86HEL’ with image path matching the driver created previously with the same name |
A service is created to execute the previously written file. This file is a vulnerable RTCore64.sys driver that is used as part of the BlackByteNT EDR bypass technique. This driver allows for the unloading of EDR components. |
T1543.003 – Create or Modify System Process: Windows Service
|
|
Delete the taskmgr.exe, resmon.exe, perfmon.exe and shutdown.exe executable |
The main ransomware process attempts to delete the listed executables from System32. This is likely to impede a user from stopping the encryption process or to remove the RTCore64 driver to re-enable a disabled EDR or shutting down the victim endpoint during encryption |
|
|
Encrypt files |
BlackByteNT ransomware encrypts files through a file overwrite method. In this method each target file is renamed to have the ‘.blackbytent’ file extension, then overwritten with encrypted content and then timestomped to ‘946684800000’ (Windows NT time format). |
|
|
Create ransom note in each directory where files are encrypted and then launch ransom note using notepad |
A ransom note with name ‘BB_Readme_CDXNB8WC.txt’ is created in each folder. |
- |
|
Windows Event Logs are cleared |
Following encryption BlackByteNT clears the Windows Event logs likely to impede forensic efforts. |
Table 1. On execution the BlackByteNT sample analyzed in this article exhibited multiple behaviors detectable through FortiEDR telemetry.
One of the more significant features of the BlackByte ransomware that is also included in the analyzed BlackByteNT sample is the use of the vulnerable RTCore64.sys and DBUtil_2_3.sys drivers for EDR bypass. Both drivers are deployed by the ransomware but only the RTCore64.sys driver was employed. The first evidence of the use of this driver can be seen through FortiEDR Threat Hunting telemetry as a ‘File Creation’ event as shown in Figure 2 below. Also shown in the events in Figure 2 are the registry creation events associated with a service being created with the main executable being the newly written driver.
Figure 2. FortiEDR Threat Hunting data shows that the BlackByteNT process creates a file “C:\SystemData\A3V86HEL” which is then loaded as a service (observable through registry changes).
Once the file has been created and the corresponding service has been executed the driver is loaded. This behavior can be observed through FortiEDR threat hunting as a ‘Driver Loaded’ event. A screenshot of the Driver Loaded event as shown in the FortiEDR Threat Hunting interface is shown below in Figure 3.
Figure 3. FortiEDR Threat Hunting data also shows a ‘Driver Loaded’ event immediately following the “A3V86HEL” file creation events that coincides with the registry creation events linked to the service of the same name.
The file hash of the driver retrieved through FortiEDR Threat Hunting matches that of the vulnerable RTCore64.sys driver vulnerable to CVE-2019-16098[2]. This driver is not inherently malicious as it is legitimately used as part of the Micro-Star MSI Afterburner application, a popular aftermarket overclocking tool. Figure 4 below shows the low detection rate for the driver with only 1/69 vendors marking it as malicious.
Figure 4. A lookup of the hash in VirusTotal identifies that this driver is RTCore64.sys, a signed driver associated with Micro-Star MSI Afterburner vulnerable to CVE-2019-16098.
BlackByte loads this driver which is then exploited and used to unload drivers from an internal list associated with EDR solutions. A loaded driver is required to have the appropriate level of privileges to perform this function. The purpose of this bypass is to ensure EDR products will not function as intended and will not impede the rest of the ransomware’s execution i.e. encryption of the victim endpoint. As demonstrated in the below events, FortiEDR continues to detect the malicious behavior associated with the BlackByte malware even after the driver is loaded.
Once the driver associated with the EDR bypass has been loaded the BlackByteNT sample begins to perform additional functions as it prepares to encrypt files on the victim endpoint. The first function the process performs is to start a svchost.exe process hollowing on it. The hollowed process is then injected with the executable code stored in the file ‘C:\SystemData\<7 random alphanumeric chars>’ (the filename was ‘P9KkYby’ in this test execution) that was created when the main BlackByteNT process executed. This process hollowing is detected by the ‘Process Hollowing’ rule in the Ransomware Prevention policy as shown in the process chain in Figure 5 below.
Figure 5. FortiEDR event triggered by a File Write Access attempt associated with the svchost.exe processed hollowed by the main BlackByteNT process.
This hollowed svchost process performs a variety of functions including attempting to access credentials on the victim endpoint by accessing memory associated with the lsass.exe process. Given this hollowed process has already been flagged as malicious, this behavior creates a ‘Sensitive Information Access Attempt’ security event as shown below in Figure 6. This behavior would be blocked by FortiEDR in Prevention mode and the malicious process would be terminated with appropriate playbooks.
Figure 6. FortiEDR security event triggered by a Sensitive Information Access attempt associated with the svchost.exe processed hollowed by the BlackByteNT process.
The injected payload also starts the Volume Shadow Copy service. This behavior can be observed as a File Creation security event as shown in Figure 7 below, and also through a Process Creation threat hunting event for a svchost process hosting the swprv service (Volume Shadow Copy service) shown in Figure 8. This service is likely started so that volume shadow copied can be deleted or so that a volume shadow copy can be created and then used to dump credentials although no evidence of either of these techniques was observed.
Figure 7. FortiEDR security event triggered when the svchost.exe processed hollowed by the BlackByteNT process attempted to create an executable ‘VSSVC.exe’ in the ‘C: Windows\System32\’ directory.
Figure 8. Threat Hunting telemetry showing the hollowed svchost process starting the Volume Shadow Copy service.
The hollowed svchost then performs network enumeration through the SSDPSRV and FDResPub services. Network connection attempts through these services are detected by the Exfiltration Prevention policy and are detected and blocked by default. Figure 9 below shows an example network connection event associated with the SSDPSRV service.
Figure 9. FortiEDR security event triggered when the svchost.exe processed hollowed by the BlackByteNT process started the SSDP service for network discovery.
As well as using the SSDP and FDResPub services for remote system discovery the hollowed svchost process will also attempt to establish network connections to SMB shares accessible from the victim endpoint. This behavior will create a Network Access event associated with the ‘Process Hollowing’ rule in the Exfiltration Prevention policy. FortiEDR will detect and block this activity in its default configuration. An example of one of these events is shown below in Figure 10, note the process chain originating from the BlackByteNT sample process (bb2.exe).
Figure 10. FortiEDR security event triggered when the svchost.exe processed hollowed by the BlackByteNT process attempted to enumerate connected SMB shares resulting in a Network Access event.
Following the above behavior, the associated driver file (C:\SystemData\A3V86HEL) is then deleted, likely as a way of hiding evidence of execution, this technique is tracked by MITRE as Indicator Removal: File Deletion[3]. This behavior is visible through FortiEDR Threat Hunting telemetry as shown in Figure 11 below.
Figure 11. FortiEDR Threat Hunting event also shows the driver file being deleted by an associated svchost.exe process once the service created by the BlackByteNT executable has been executed and the driver is loaded.
Following the above behavior, the BlackByteNT executable attempt to delete the following executables from System32; taskmgr.exe, resmon.exe, perfmon.exe and shutdown.exe. This is likely to prevent these applications from being used to impede subsequent file encryption. At this stage of the execution the BlackByte process has been flagged as malicious so majority of functions it attempts to perform are detected and flagged as malicious by FortiEDR. These file deletion attempts create security events triggered by the ‘Ransomware Protection’ security policy as shown in Figure 12 below triggered when taskmgr.exe was deleted. All behavior in detected security events would be mitigated if FortiEDR were in Prevention mode.
Figure 12. FortiEDR event triggered by a File Delete Attempt associated with the BlackByteNT process attempting to delete the Taskmgr.exe executable.
Once these preparation functions have been completed the hollowed svchost process begins the encryption process. BlackByteNT ransomware performs encryption by first renaming the file with the ‘.blackbytent’ file extension then overwriting the file with encrypted data and then time stomps the creation time of each overwritten file to ‘946684800000’ (Windows NT time format). FortiEDR execution policy would prevent execution of this svchost.exe process before encryption can occur but encryption activity also triggers the ‘File Encryptor’ rule in the Ransomware Prevention security policy (see Figure 13 for the associated event graph). This rule is triggered by suspicious file encryption activity and is a behavior based detection. This encryption behavior can also be observed in Threat Hunting telemetry as shown below in Figure 14.
Figure 13. Event graph from FortiEDR File Encryptor event triggered by BlackByteNT encryption activity.
Figure 14. FortiEDR Threat Hunting telemetry shows the file encryption behavior associated with BlackByteNT encryption.
Following successful encryption of targeted files on the victim endpoint a notepad process is launched that opens the ransom note. The ransom note shown below in Figure 14 was generated during this test execution, note the modified BlackByte NT banner.
Figure 14. Ransom note dropped following successful encryption by the BlackByteNT sample.
In addition to the ransom note a number of settings are modified on the victim endpoint that indicate the encryption activity:
- The timezone near the clock on the toolbar is modified to read ‘BLACKBYTE’
- All encrypted files with the file extension ‘.blackbytent’ have the BlackByte log (a stylized black ‘B’)
- All encrypted files with the file extension ‘.blackbytent’ have their file type labeled as ‘ALL YOUR FILES ARE ENCRYPTED’ in the Explorer GUI
Conclusion
As highlighted in this article FortiEDR effectively detects and mitigates post-execution behavior associated with BlackByteNT ransomware operation despite the EDR bypass techniques it employs. Behavior detected by FortiEDR security events will be mitigated and automated playbooks can be setup to perform automated remediation of threats like BlackByte to reduce remediation workloads for security teams. Behavior based detections like those demonstrated above highlight the effectiveness of a modern EDR solution in adapting to malware developer’s efforts to subvert security solutions that rely solely on atomic indicators like file hashes for protection. In addition to the protections afforded by FortiEDR’s security policies, FortiEDR Threat Hunting telemetry offers further detection opportunities. Threat hunting queries to detect much of the activity highlighted above have been included in the section below. These threat hunting queries can be configured as scheduled hunting queries to fast track identification of potential BlackByte ransomware execution.
To assist with mapping other security solution coverage to BlackByteNT behavior, observed behavior from BlackByteNT has been mapped to the MITRE ATT&CK framework techniques below with relevant observables. Also below are known IOCs associated with recently observed BlackByteNT campaigns.
Threat Hunting
The following Threat Hunting query can be used to identify registry ‘Key Created’ generated by the creation of the service used to load the vulnerable RTCore driver. This service name is consistent for all detonations of the analyzed sample but this service name may change between samples.
Type:"Key Created" AND Registry.Path:"A3V86HEL"
The following Threat Hunting query can be used to identify ‘Driver Loaded’ events associated with loading vulnerable RTCore64.sys or DBUtil_2_3.sys drivers employed by the analyzed BlackByteNT sample. Note that these drivers have been employed by other threat actors across other campaigns but all events should be investigated.
Type:"Driver Loaded" AND Target.Executable.File.SHA1:("f6f11ad2cd2b0cf95ed42324876bee1d83e01775" OR "c948ae14761095e4d76b55d9de86412258be7afd")
The following Threat Hunting query can be used to identify registry ‘Value Created’ events associated with the LocalAccountTokenFilterPolicy and EnableLinkedConnection registry values. This is indicative of a UAC bypass technique used for privilege escalation. This technique is not unique to BlackByteNT but should be investigated if observed.
Type:"Value Created" AND Registry.Name:("LocalAccountTokenFilterPolicy" OR "EnableLinkedConnections")
The following Threat Hunting query can be used to identify ‘Process Creation’ events indicative of the bcdedit.exe tool being used to disabling components of Windows safe recovery. This technique is a well-known technique employed by various ransomware families to inhibit system recovery. Disabling these features is anomalous so all hits should be investigated.
Type:"Process Creation" AND Target.Process.File.Name:"bcdedit.exe" AND Target.Process.CommandLine:("\/set \{default\} bootstatuspolicy ignoreallfailures" OR "\/set \{default\} recoveryenabled No ")
The following Threat Hunting query can be used to identify suspicious ‘File Delete’ events for the taskmgr.exe, resmon.exe, perfmon.exe and shutdown.exe executables from the System32 directory. This is highly anomalous behavior that should be investigated in all cases.
Type:"File Delete" AND Target.File.Path:("Windows\\System32\\Taskmgr.exe" OR "Windows\\System32\\perfmon.exe" OR "Windows\\System32\\resmon.exe" OR "Windows\\System32\\shutdown.exe")
The following Threat Hunting query can be used to identify ‘Process Creation’ events for cmd processes where the command line arguments match those employed by BlackByte to overwrite the contents of its own on disk executable using fsutil. No signed versions of BlackByte ransomware have been observed which has been incorporated into the query to reduce false positives. This technique is not unique to BlackByteNT.
Type:"Process Creation" AND Target.Process.Name:"cmd.exe" AND Target.Process.CommandLine: ("fsutil file setZeroData") AND Source.Process.File.Signed:"false"
The following Threat Hunting query can be used to identify ‘File Write’ and ‘File Time Set’ events related to files with the ‘blackbytent’ file extension. This behavior indicates successful encryption of victim files which is useful for identifying specific files that may have been encrypted but not useful as a base for playbooks. High confidence, no false positives expected.
Type:("File Time Set" OR "File Write") AND Target.File.Name:"*blackbytent"
The following Threat Hunting query can be used to identify a Windows log entry being created that is indicative of Windows logs being cleared. This is not behavior specific to BlackByteNT but where this behavior is not part of normal logging configurations, such events should always be investigated.
Type:"Event Log Entry Created" AND EventLog.Name:"Security" AND Log.EventID:"1102"
MITRE ATT&CK
TA0002 – Execution
|
Technique ID |
Technique Description |
Observed Activity |
|
T1569.002 |
System Services: Service Execution |
BlackByteNT creates and executes a new service to load the vulnerable RTCore64.sys driver it later uses for implementing an EDR bypass technique. The service name observed in the analysis for this article was ‘A3V86HEL’ which is the same name as the copy of the RTCore driver at ‘C:\SystemData\A3V86HEL’. |
|
Technique ID |
Technique Description |
Observed Activity |
|
T1059.003 |
Command and Scripting Interpreter: Windows Command Shell |
BlackByteNT employs cmd.exe at various stages of its execution to perform preparatory task prior to file encryption. |
TA0004 – Privilege Escalation
|
Technique ID |
Technique Description |
Observed Activity |
|
T1548.002 |
Abuse Elevation Control Mechanism: Bypass User Account Control |
The hollowed svchost process created by the main BlackByteNT process creates the ‘EnableLinkedConnections’ and ‘LocalAccountTokenFilterPolicy’ registry key values which can allow local credentials to be used for remote administration. Evidence of these features being used for privilege escalation was not observed but this behavior is non-standard. |
TA0005 – Defense Evasion
|
Technique ID |
Technique Description |
Observed Activity |
|
T1211 |
Exploitation for Defense Evasion |
BlackByteNT employs a vulnerable version of the RTCore64.sys which is used for EDR bypass. Windows requires that all drivers it loads are signed with a valid signature and are present on disk. The driver used by the BlackByteNT sample analyzed in this article was written to ‘C:\SystemData\A3V86HEL’. The vulnerable DBUtils driver is also dropped by the BlackByteNT sample on execution but was not employed |
|
Technique ID |
Technique Description |
Observed Activity |
|
T1562.001 |
Impair Defenses: Disable or Modify Tools |
BlackByteNT employs a vulnerable version of the RTCore64.sys which is used for EDR bypass. Details of the EDR bypass techniques employed by BlackByte are outlined here by Sophos but do not affect FortiEDR’s operation. The vulnerable driver can be identified as it is loaded by Windows as it is signed so has a fixed hash, note there are multiple known vulnerable versions. The vulnerable DBUtils driver is also dropped by the BlackByteNT sample on execution but was not employed. |
|
Technique ID |
Technique Description |
Observed Activity |
|
T1055.012 |
Process Injection: Process Hollowing |
BlackByteNT includes an embedded payload that is injected into a hollowed svchost.exe process. This svchost process is started with the same commandline arguments as the original BlackByteNT process (i.e. the seed phrase needed to launch the ransomware) which provides opportunities for detection. |
|
Technique ID |
Technique Description |
Observed Activity |
|
T1070.001 |
Indicator Removal: Clear Windows Event Logs |
Following successful encryption of files on a victim endpoint BlackByteNT clears the Windows event logs. |
|
Technique ID |
Technique Description |
Observed Activity |
|
T1070.004 |
Indicator Removal: File Deletion |
Following successful execution BlackByteNT zeroes the contents of its on-disk executable using fsutil and then deletes the overwritten executable. |
|
Technique ID |
Technique Description |
Observed Activity |
|
T1027.009 |
Obfuscated Files or Information: Embedded Payloads |
BlackByteNT contains an embedded payload that is written to disk at ‘C:\SystemData\<7 random alpha numeric chars>’ and is loaded into a hollowed svchost.exe process during execution. This payload contains encryption functions for the ransomware. |
TA0007 – Discovery
|
Technique ID |
Technique Description |
Observed Activity |
|
T1518.001 |
Software Discovery: Security Software Discovery |
BlackByteNT identifies attempts to identify EDR software running on a victim endpoint and then uses the RTCore64.sys driver to disable and impede identified EDR software’s operation. This activity does not effect FortiEDR’s operation as highlighted in this article. This enumeration of EDR software is performed by the BlackByteNT executable directly. |
|
Technique ID |
Technique Description |
Observed Activity |
|
T1018 |
Remote System Discovery |
BlackByteNT starts a number of Windows services that can be used to identify other endpoints connected to the same network as the victim. The svchost hollowed by the main BlackByteNT process launches instances of svchost hosting the following services: RemoteRegistry, upnphost, SSDPSVR, FDResPub and fdPHost. Each of these is hosted in their own svchost.exe process. |
TA0008 – Lateral Movement
|
Technique ID |
Technique Description |
Observed Activity |
|
T1021.002 |
Remote Services: SMB/Windows Admin Shares |
BlackByteNT attempted to access SMB file shares to encrypt hosted files. This encryption activity originates from the hollowed svchost process created by the main BlackByteNT process. |
TA0040 – Impact
|
Technique ID |
Technique Description |
Observed Activity |
|
T1486 |
Data Encrypted for Impact |
BlackByteNT encrypts non-system files on a victim endpoint. This ransomware first renames targeted files by appending the ‘.blackbytent’ file extension, then overwrites the original file with encrypted content and finally time stomps the encrypted file to ‘946684800000’ (Windows NT time format). |
|
Technique ID |
Technique Description |
Observed Activity |
|
T1490 |
Inhibit System Recovery |
BlackByteNT uses bcdedit.exe to disable Windows recovery features. This was done through a cmd process spawned from the hollowed svchost process created by the main BlackByteNT process. The cmd process has the following command line arguments: ‘/c bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures’.
BlackByteNT starts the Volume Shadow copy service. Ransomware often targets this service to delete shadow copies to inhibit system recovery. No evidence of shadow copies being deleted was observed but this malware was not tested in an environment where volume shadow copies were available. |
IOCs
|
Indicator Description |
Indicator |
Indicator Type |
Associated Tactic |
Notes |
First Observed |
|
BlackByteNT Executable |
c0950ebfa3a63c705ca813cfd28364aa1d90bb09 |
SHA1 Hash |
Impact |
This is the BlackByteNT sample analyzed in this article. |
2023-02-21 |
|
BlackByteNT Executable |
990a762a0a80da13e716653d9ee1b7f5dc1a0172 |
SHA1 Hash |
Impact |
BlackByte binary. |
2023-03-21 |
|
BlackByteNT Executable |
adf4aae5160b26370e4f90620e9b0edcbb56c432 |
SHA1 Hash |
Impact |
BlackByte binary. |
2023-04-03 |
|
BlackByteNT Executable |
c2366ca1f869cb3579641b2de5796cb92afb67a1 |
SHA1 Hash |
Impact |
BlackByte binary. |
2023-04-16 |
|
BlackByteNT Executable |
6dc9c0eb798f35c123beb8868321a5e754ee889c |
SHA1 Hash |
Impact |
BlackByte binary. |
2023-04-19 |
|
BlackByteNT Executable |
b026c447ab06ab07c7d0c1505785f7e47f1ef860 |
SHA1 Hash |
Impact |
BlackByte binary. |
2023-04-19 |
|
BlackByteNT Executable |
4edd62b710e82bc380aa77cb536338669a8e7e49 |
SHA1 Hash |
Impact |
BlackByte binary. |
2023-04-20 |
|
Vulnerable RTCore Driver |
f6f11ad2cd2b0cf95ed42324876bee1d83e01775 |
SHA1 Hash |
Defense Evasion |
Vulnerable RTCore driver used by the BlackByteNT sample analyzed in this article. |
2017-09-02 |
|
Vulnerable RTCore Driver |
f56fec3f2012cd7fc4528626debc590909ed74b6 |
SHA1 Hash |
Defense Evasion |
Alternative vulnerable RTCore driver. |
2019-10-08 |
|
Vulnerable RTCore Driver |
879e92a7427bdbcc051a18bbb3727ac68154e825 |
SHA1 Hash |
Defense Evasion |
Alternative vulnerable RTCore driver. |
2012-11-20 |
|
Vulnerable RTCore Driver |
b5dfa3396136236cc9a5c91f06514fa717508ef5 |
SHA1 Hash |
Defense Evasion |
Alternative vulnerable RTCore driver. |
2014-09-04 |
|
Vulnerable RTCore Driver |
d28b604b9bb608979cc0eab1e9e93e11c721aa3d |
SHA1 Hash |
Defense Evasion |
Alternative vulnerable RTCore driver. |
2019-05-25 |
|
Vulnerable RTCore Driver |
722aa0fa468b63c5d7ea308d77230ae3169d5f83 |
SHA1 Hash |
Defense Evasion |
Alternative vulnerable RTCore driver. |
2015-06-05 |
|
Vulnerable RTCore Driver |
cc3e5e45aca5b670035dfb008f0a88cecfd91cf7 |
SHA1 Hash |
Defense Evasion |
Alternative vulnerable RTCore driver. |
2020-07-15 |
|
Vulnerable DBUtils driver |
c948ae14761095e4d76b55d9de86412258be7afd |
SHA1 Hash |
Defense Evasion |
Vulnerable DBUtils driver used by the BlackByteNT sample analyzed in this article. |
2012-10-17 |
|
Vulnerable DBUtils Driver |
c6920171fa6dff2c17eb83befb5fd28e8dddf5f0 |
SHA1 Hash |
Defense Evasion |
Alternative vulnerable DBUtils driver. |
2010-09-27 |
|
Vulnerable DBUtils Driver |
10b30bdee43b3a2ec4aa63375577ade650269d25 |
SHA1 Hash |
Defense Evasion |
Alternative vulnerable DBUtils driver. |
2020-10-19 |
|
Vulnerable DBUtils Driver |
d8681830888159a0c404b1db198f353f2cada14a |
SHA1 Hash |
Defense Evasion |
Alternative vulnerable DBUtils driver. |
2020-11-29 |
[1] https://twitter.com/splinter_code/status/1628057204954652674
[2] https://nvd.nist.gov/vuln/detail/CVE-2019-16098
[3] https://attack.mitre.org/techniques/T1070/004/
