BlackByte
Associated Group Descriptions |
|
Name | Description |
---|---|
Hecamede | (Citation: Symantec BlackByte 2022) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1134 | .003 | Access Token Manipulation: Make and Impersonate Token |
BlackByte constructed a valid authentication token following Microsoft Exchange exploitation to allow for follow-on privileged command execution.(Citation: Microsoft BlackByte 2023) |
Enterprise | T1087 | .002 | Account Discovery: Domain Account |
BlackByte has used tools such as AdFind to identify and enumerate domain accounts.(Citation: Microsoft BlackByte 2023) |
Enterprise | T1583 | .003 | Acquire Infrastructure: Virtual Private Server |
BlackByte staged encryption keys on virtual private servers operated by the adversary.(Citation: FBI BlackByte 2022) |
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
BlackByte collected victim device information then transmitted this via HTTP POST to command and control infrastructure.(Citation: Microsoft BlackByte 2023) |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
BlackByte has used Registry Run keys for persistence.(Citation: Microsoft BlackByte 2023) |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
BlackByte used encoded PowerShell commands during operations.(Citation: FBI BlackByte 2022) BlackByte has used remote PowerShell commands in victim networks.(Citation: Microsoft BlackByte 2023) |
.003 | Command and Scripting Interpreter: Windows Command Shell |
BlackByte executed ransomware using the Windows command shell.(Citation: FBI BlackByte 2022) |
||
Enterprise | T1136 | .002 | Create Account: Domain Account |
BlackByte created privileged domain accounts during intrusions.(Citation: Cisco BlackByte 2024) |
Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
BlackByte modified multiple services on victim machines to enable encryption operations.(Citation: Symantec BlackByte 2022) BlackByte has installed tools such as AnyDesk as a service on victim machines.(Citation: Microsoft BlackByte 2023) |
Enterprise | T1491 | .001 | Defacement: Internal Defacement |
BlackByte left ransom notes in all directories where encryption takes place.(Citation: FBI BlackByte 2022) |
Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
BlackByte disabled security tools such as Windows Defender and the Raccine anti-ransomware tool during operations.(Citation: FBI BlackByte 2022)(Citation: Picus BlackByte 2022)(Citation: Cisco BlackByte 2024) |
.004 | Impair Defenses: Disable or Modify System Firewall |
BlackByte modified firewall rules on victim machines to enable remote system discovery.(Citation: Picus BlackByte 2022)(Citation: Symantec BlackByte 2022) |
||
Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
BlackByte deleted ransomware executables post-encryption.(Citation: Picus BlackByte 2022)(Citation: Symantec BlackByte 2022)(Citation: Microsoft BlackByte 2023)(Citation: Cisco BlackByte 2024) |
Enterprise | T1036 | .008 | Masquerading: Masquerade File Type |
BlackByte masqueraded configuration files containing encryption keys as PNG files.(Citation: FBI BlackByte 2022) |
Enterprise | T1055 | .012 | Process Injection: Process Hollowing |
BlackByte used process hollowing for defense evasion purposes.(Citation: Microsoft BlackByte 2023) |
Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol |
BlackByte has used RDP to access other hosts within victim networks.(Citation: Microsoft BlackByte 2023)(Citation: Cisco BlackByte 2024) |
.002 | Remote Services: SMB/Windows Admin Shares |
BlackByte used SMB file shares to distribute payloads throughout victim networks, including BlackByte ransomware variants during wormable operations.(Citation: Picus BlackByte 2022)(Citation: Microsoft BlackByte 2023)(Citation: Cisco BlackByte 2024) |
||
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
BlackByte created scheduled tasks for payload execution.(Citation: FBI BlackByte 2022)(Citation: Picus BlackByte 2022) |
Enterprise | T1505 | .003 | Server Software Component: Web Shell |
BlackByte has used ASPX web shells following exploitation of vulnerabilities in services such as Microsoft Exchange.(Citation: Picus BlackByte 2022)(Citation: Microsoft BlackByte 2023) |
Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
BlackByte enumerated installed security products during operations.(Citation: Microsoft BlackByte 2023) |
Enterprise | T1608 | .001 | Stage Capabilities: Upload Malware |
BlackByte has staged tools such as Cobalt Strike at public file sharing and hosting sites.(Citation: Microsoft BlackByte 2023) |
Enterprise | T1614 | .001 | System Location Discovery: System Language Discovery |
BlackByte identified system language settings to determine follow-on execution.(Citation: Picus BlackByte 2022) |
Enterprise | T1569 | .002 | System Services: Service Execution |
BlackByte created malicious services for ransomware execution.(Citation: Symantec BlackByte 2022)(Citation: Cisco BlackByte 2024) |
Enterprise | T1078 | .002 | Valid Accounts: Domain Accounts |
BlackByte captured credentials for or impersonated domain administration users.(Citation: Microsoft BlackByte 2023)(Citation: Cisco BlackByte 2024) |
References
- Huseyin Can Yuceel. (2022, February 21). TTPs used by BlackByte Ransomware Targeting Critical Infrastructure. Retrieved December 16, 2024.
- James Nutland, Craig Jackson, Terryn Valikodath, & Brennan Evans. (2024, August 28). BlackByte blends tried-and-true tradecraft with newly disclosed vulnerabilities to support ongoing attacks. Retrieved December 16, 2024.
- Microsoft Incident Response. (2023, July 6). The five-day job: A BlackByte ransomware intrusion case study. Retrieved December 16, 2024.
- Symantec Threat Hunter Team. (2022, October 21). Exbyte: BlackByte Ransomware Attackers Deploy New Exfiltration Tool. Retrieved December 16, 2024.
- US Federal Bureau of Investigation & US Secret Service. (2022, February 11). Indicators of Compromise Associated with BlackByte Ransomware. Retrieved December 16, 2024.
- Rodel Mendrez & Lloyd Macrohon. (2021, October 15). BlackByte Ransomware – Pt. 1 In-depth Analysis. Retrieved December 16, 2024.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.