September 26, 2022

A new sample of the data exfiltration malware “Exmatter” was discovered by malware analysts with Cyderes Special Operation. The malware now offers improved data corruption capabilities that could guarantee hackers a new extortion tactics for compromising organizations.

According to researchers from Stairwell and Cyderes, the new capability could serve as a new tactic and a new shift from traditional ransomware attacks, in which data is stolen and then encrypted, to attacks, in which data is stolen and then deleted or damaged.

“As files upload to the actor-controlled server, the files that have been successfully copied to the remote server are queued to be processed by a class named Eraser. A randomly sized segment starting at the beginning of the second file is read into a buffer and then written into the beginning of the first file, overwriting it and corrupting the file,” Cyderes said.

However, Stairwell researchers believe that Exmatter’s partially implemented data destruction capacities are still under development because there is no mechanism to remove files from the corruption queue and because the feature that uses the Eraser class, called Erase, does not appear to be fully implemented.

“Affiliates have also lost out on profits from successful intrusions due to exploitable flaws in the ransomware deployed, as was the case with BlackMatter, the ransomware associated with previous appearances of this. NET-based exfiltration tool. Eliminating the step of encrypting the data makes the process faster and eliminates the risk of not getting the full payout, or that the victim will find other ways to decrypt the data,” Cyderes said.

The sources for this piece include an article in BleepingComputer.