BlackMatter Ransomware Evaluation; The Darkish Aspect Returns



BlackMatter is a brand new ransomware menace found on the finish of July 2021.
This malware began with a robust group of assaults and a few promoting from its builders that claims they take the most effective elements of different malware, equivalent to GandCrab, LockBit and DarkSide, regardless of additionally saying they’re a brand new group of builders. We at McAfee Enterprise Superior Risk Analysis (ATR), have severe doubts about this final assertion as evaluation reveals the malware has a terrific deal in frequent with DarkSide, the malware related to the Colonial Pipeline assault which caught the eye of the US authorities and legislation enforcement businesses around the globe.
The primary purpose of BlackMatter is to encrypt recordsdata within the contaminated pc and demand a ransom for decrypting them. As with earlier ransomware, the operators steal recordsdata and personal info from compromised servers and request an extra ransom to not publish on the web.
McAfee’s EPP resolution covers BlackMatter ransomware with an array of prevention and detection strategies.
ENS ATP supplies behavioral content material specializing in proactively detecting the menace whereas additionally delivering identified IoCs for each on-line and offline detections. For DAT primarily based detections, the household shall be reported as Ransom-BlackMatter!<hash>. ENS ATP provides 2 extra layers of safety due to JTI guidelines that present assault floor discount for generic ransomware behaviors and RealProtect (static and dynamic) with ML fashions concentrating on ransomware threats.
Updates on indicators are pushed by GTI, and clients of Insights will discover a threat-profile on this ransomware household that’s up to date when new and related info turns into out there.
BlackMatter is usually seen as an EXE program and, in particular circumstances, as a DLL (Dynamic Library) for Home windows. Linux machines will be affected with particular variations of it too however on this report, we are going to solely be protecting the Home windows model.
This report will give attention to model 1.2 of BlackMatter whereas additionally noting the necessary adjustments within the present model, 2.0.
BlackMatter is programmed in C++ and has a measurement of 67Kb.

FIGURE 1. Details about the malware
The compile date of this pattern is the twenty third of July 2021. Whereas these dates will be altered, we predict it’s appropriate; model 1.9 has a compile time of 12 August 2021 and the most recent model, 2.0, has a date 4 days later, on the sixteenth of August 2021. Is evident that the malware builders are actively enhancing the code and making detection and evaluation tougher.
The primary motion carried out by BlackMatter is preparation of some modules that shall be wanted later to get the required features of Home windows.

FIGURE 2. BlackMatter looking for features
BlackMatter makes use of some tips to try to make evaluation tougher and keep away from debuggers. As an alternative of looking for module names it would test for hashes precalculated with a ROT13 algorithm. The modules wanted are “kernel32.dll” and “ntdll.dll”. Each modules will attempt to get features to order reminiscence within the course of heap. The APIs are searched utilizing a mixture of the PEB (Course of Atmosphere Block) of the module and the EAT (Export Desk Handle) and enumerating all perform names. With these names it would calculate the customized hash and test towards the goal hashes.

FIGURE 3. BlackMatter detecting a debugger
At this level BlackMatter will make a particular code to detect debuggers, checking the final 2 “DWORDS” after the reminiscence is reserved, looking for the bytes “0xABABABAB”. These bytes at all times exist when a course of reserves reminiscence within the heap and, if the heap has one particular flag (that by default is ready when a course of is in a debugger), the malware will keep away from saving the pointer to the reminiscence reserved so, on this case, the variables will hold a null pointer.
In Home windows working techniques the reminiscence has completely different situations primarily based on whether or not a program is working in regular mode (as normal) or in debugging mode (a mode utilized by programmers, for instance). On this case, when the reminiscence is reserved to maintain info, whether it is in debugging mode, Home windows will mark the top of this reminiscence with a particular worth, “0xABABABAB”. BlackMatter checks for this worth and, if discovered, the debugger is detected. To keep away from having it run usually it would destroy the perform tackle that it will get earlier than, that means it would crash, thus avoiding the execution.

FIGURE 4. Making ready the safety stub perform
After this test it would create a particular stub within the reserved reminiscence which could be very easy however efficient in making evaluation tougher because the stub will have to be executed to see which perform is known as and executed.
This process shall be accomplished with all features that shall be wanted; the hashes are saved hardcoded in the midst of the “.textual content” part in little structs as knowledge. The top of every struct shall be acknowledged by a test towards the “0xCCCCCCCC” worth.

FIGURE 5. Hashes of the features wanted
This conduct highlights that the BlackMatter builders know some tips to make evaluation tougher, although it’s easy to defeat each by patching the binary.
After this, the ransomware will use one other trick to keep away from the usage of debuggers. BlackMatter will name the perform “ZwSetInformationThread” with the category argument of 0x11 which is able to conceal the calling thread from the debuggers.
If the malware executes it accurately and a debugger is connected, the debugging session will end instantly. This code is executed later within the threads that shall be used to encrypt recordsdata.

FIGURE 6. One other strategy to detect a debugger
The following motion is to test if the consumer that launched the method belongs to the native group of Directors within the machine utilizing the perform “SHTestTokenMembership”. Within the case that the consumer belongs to the administrator group the code will proceed usually however in different circumstances it would get the working system model utilizing the PEB (to keep away from utilizing API features that may alter the model) and, whether it is out there, will open the method and test the token to see if that belongs to the Directors group.

FIGURE 7. BlackMatter checking if it has administrator rights
Within the case that the consumer doesn’t belong to the Administrator group the method token will use a intelligent trick to escalate privileges.
The primary motion is to arrange the string “dllhost.exe” and enumerate all modules loaded. For every module it would test one discipline within the preliminary construction that every one executables have that retains the bottom reminiscence tackle the place will probably be loaded (for instance, kernel32.dll in 0x7fff0000) and can evaluate with its personal base tackle. Whether it is equal, it would change its identify within the PEB fields and the trail and arguments path to “dllhost.exe” (within the case of the trail and argument path to the SYSTEM32 folder, the place the official “dllhost.exe” exists). This trick is used to try to mislead the consumer. For every module discovered it would test the bottom tackle of the module with its personal base tackle and, at that second, will change the identify of the module loaded, the trail, and arguments to mislead the consumer.

FIGURE 8. Decryption of the string “dllhost.exe”
The method identify shall be “dllhost.exe” and the trail would be the system listing of the sufferer machine. This trick, moreover not altering the identify of the method within the TaskManager, could make a debugger “assume” that one other binary is loaded and take away all breakpoints (relying on the debugger used).

FIGURE 9. Altering the identify and path within the PEB
The second motion is to make use of one exploit utilizing COM (Part Object Mannequin) objects to attempt to elevate privileges earlier than ending its personal occasion utilizing the “Terminate Course of” perform.
For detection, the module makes use of an undocumented perform from NTDLL.DLL, “LoadedModulesLdrCallback” that lets the programmer set a perform as a callback the place it may well get the arguments and test the PEB. On this callback the malware will set the brand new Unicode strings utilizing “RtlInitUnicodeString”; the strings are the trail to “dllhost.exe” within the system folder and “dllhost.exe” because the picture identify.
The exploit used to bypass the UAC (Person Entry Management), which is public, makes use of the COM interface of CMSTPLUA and the COM Elevation Moniker.
Within the case that it has administrator rights or makes use of the exploit with success, it would proceed making the brand new extension that shall be used with the encrypted recordsdata. For this job it would learn the registry key of “Machine Guid” within the cryptographic key (HKEY LOCAL MACHINE).
This entry and worth exist in all variations of Home windows and is exclusive for the machine; with this worth it would make a customized hash and get the ultimate string of 9 characters.

FIGURE 10. Creating the brand new extension for the encrypted recordsdata
Subsequent, the malware will create the ransom be aware identify and calculate the integrity hash of it. The ransom be aware textual content is saved encrypted within the malware knowledge. Normally the ransom be aware identify is “%s.README.txt”, the place the wildcard is stuffed with the brand new extension generated beforehand.
The following step is to get privileges that shall be wanted later; BlackMatter tries to get many privileges:



FIGURE 11. Setting particular privileges
After getting the privileges it would test if it has SYSTEM privileges, checking the token of its personal course of. Whether it is SYSTEM, it would get the suitable consumer for logon with the perform “WTSQueryUserToken”. This perform solely can be utilized if the caller has “SeTcbPrivilege” that, by default, solely SYSTEM has.

FIGURE 12. Acquiring the token of the logged on consumer
After getting the token of the logged on consumer the malware will open the Home windows station and desktop.
Within the case that it doesn’t have SYSTEM permissions it would enumerate all processes within the system and attempt to duplicate the token from “explorer.exe” (the identify is checked utilizing a hardcoded hash), if it has rights it would proceed usually, in any other case it would test once more if the token that was duplicated has administrator rights.
On this case it would proceed usually however in different circumstances it would test the working system model and the CPU (Central Processing Unit) mode (32- or 64- bits). This test is finished utilizing the perform “ZwQueryInformationProcess” with the category 0x1A (ProcessWow64Information).

FIGURE 13. Checking if the working system is 32- or 64-bits
Within the case that the system is 32-bits it would decrypt one little shellcode that may inject in a single course of that may enumerate utilizing the everyday “CreateRemoteThread” perform. This shellcode shall be used to get the token of the method and elevate privileges.
Within the case that the system is 64-bits it would decrypt two completely different shellcodes and can execute the primary one which will get the second shellcode as an argument.

FIGURE 14. BlackMatter getting ready shellcodes to steal system token
These shellcodes will enable BlackMatter to raise privileges in a clear method.
Is necessary to grasp that to get the SYSTEM token BlackMatter will enumerate the processes and get “svchost.exe”, however not solely will it test the identify of the method, it would additionally test that the method has the privilege “SeTcbPrivilege”. As solely SYSTEM has it by default (and it’s one permission that can’t be faraway from this “consumer”) will probably be that this course of is working below SYSTEM and so it turns into the proper goal to assault with the shellcodes and steal the token that shall be duplicated and set for BlackMatter.

FIGURE 15. Checking if the goal course of is SYSTEM
After this it would decrypt the configuration that it has embedded in a single part. BlackMatter has this configuration encrypted and encoded in base64.
This configuration has a remarkably related construction to Darkside, providing one other clear trace that the builders are one and the identical, regardless of their claims on the contrary.
After decryption, the configuration can get this info:

RSA Key used to guard the Salsa20 keys used to encrypt the recordsdata.
A 16-byte hex worth that remarks the sufferer id.
A 16-byte hex worth that’s the AES key that shall be used to encrypt the knowledge that shall be despatched to the C2.
An 8/9-byte array with the conduct flags to regulate the ransomware conduct.
A particular array of DWORDs (values of 4 bytes every one) that hold the values to succeed in the essential factors within the configuration.
Totally different blocks encoded and, generally, encrypted once more to supply the sector extra safety.

After getting the configuration and parsing it, BlackMatter will begin checking if it must make a login with some consumer that’s within the configuration. On this case it would use the perform “LogonUser” with the knowledge of the consumer(s) which might be stored within the configuration; this info has one consumer and one password: “take a look” the place “take a look at” is the consumer, “” is the area and “12345” the password.
The following motion shall be to test with the flag to see if a mutex must be created to keep away from having a number of cases.
This mutex is exclusive per machine and is predicated within the registry entry “MachineGuid” in the important thing “Cryptography”. If the system has this mutex already the malware will end itself.
Making a vaccine with a mutex can generally be helpful however not on this case because the builders change the algorithm and solely must set the flag to false to keep away from creating it.

FIGURE 16. Creation of the mutex to keep away from a number of cases
After, it would test if it must ship info to the C2. If it does (often, however not at all times) it would get info of the sufferer machine, equivalent to username, pc identify, measurement of the exhausting disks, and different info that’s helpful to the malware builders to know what number of machines are contaminated.
This info is encoded with base64 and encrypted with AES utilizing the important thing within the configuration.

FIGURE 17. Encrypted info despatched to the C2
The C2 addresses are within the configuration (however not all samples have them, on this case the flag to ship is fake). The malware will strive to connect with the C2 utilizing a standard protocol or will use SSL checking the preliminary “http” of the string.

FIGURE 18. Get info of the sufferer machine and consumer
The knowledge is ready in some strings decrypted from the malware and despatched in a POST message.

FIGURE 19. Select to ship by HTTP or HTTPS
The message has values to mislead checks and to try to conceal the true info as rubbish. This “pretend” knowledge is calculated randomly.
The C2 returns rubbish knowledge however the malware will test if it begins and ends with the characters “{“  and “}”; if it does the malware will ignore sending the knowledge to a different C2.

FIGURE 20. Checking for a reply from the C2 after sending
BlackMatter is a multithread software and the process to ship knowledge to the C2 is finished by a secondary thread.
After that, BlackMatter will enumerate all models which might be FIXED and REMOVABLE to destroy the recycle bin contents. The malware makes it for every unit that has it and are the proper kind. One distinction with DarkSide is that it has a flag for this conduct whereas  BlackMatter doesn’t.
The following motion is to delete the shadow volumes utilizing COM to try to keep away from detection utilizing the traditional packages to handle the shadow volumes. This differs with DarkSide that has a flag for this objective.

FIGURE 21. Destruction of the shadow volumes utilizing COM
BlackMatter will test one other flag and can enumerate all companies primarily based on one record within the configuration and can cease goal companies and delete them.
This conduct is identical as DarkSide.

FIGURE 22. Stopping companies and deleting them
Processes shall be checked and terminated as with DarkSide, primarily based on different configuration flags.
After terminating the processes BlackMatter will cease the threads from coming into suspension or hibernating if somebody is utilizing the pc to stop both of these outcomes occurring when it’s encrypting recordsdata. That is accomplished utilizing the perform “ZwSetThreadExecutionState”.

FIGURE 23. Stopping the machine being suspended or hibernated
The following motion shall be to enumerate all models, mounted and on the community, and create threads to encrypt the recordsdata. BlackMatter makes use of Salsa20 to encrypt some a part of the file and can save a brand new block in the long run of the file, protected with the RSA key embedded within the configuration with the Salsa20 keys used to encrypt it. This makes BlackMatter slower than many different ransomwares.
After the encryption it would ship to the C2 all details about the encryption course of, what number of recordsdata had been crypted, what number of recordsdata failed, and so forth. This info is shipped within the method beforehand described, however provided that the config is ready to true.

FIGURE 24. Launch of the mutex
If one mutex was created on this second will probably be launched. Later it would test the way in which that the machine boots with the perform “GetSystemMetrics”. If the boot was accomplished in Protected Mode BlackMatter will set some keys for persistence within the registry for the subsequent reboot after which assault the system, altering the desktop wallpaper.

FIGURE 25. Figuring out whether or not the system boots in protected mode or regular mode
In fact, it would disable the safeboot choices within the machine and reboot it (it is without doubt one of the explanation why it wants the privilege of shutdown).
To make sure it may well launch in protected mode, the persistence key worth with the trail of the malware will begin with a ‘*’.

FIGURE 26. Setting the persistance registry key
If the machine begins within the regular method, it would change the desktop wallpaper with an alternate generated in runtime with some textual content concerning the ransom be aware.

FIGURE 27. BlackMatter makes the brand new wallpaper in runtime
The brand new variations have some variations in contrast with variations 1.2 to 1.6:

Modifications within the stub technology code. Beforehand just one kind of stub was used, however in more moderen variations a number of sorts of stubs are employed, with one chosen randomly per perform. Anyhow the stubs will be eliminated with none drawback by patching the binary.
A brand new byte flag within the configuration that remarks if it must print the ransom be aware utilizing the out there printer within the system. Similar to Ryuk however as an alternative BlackMatter makes use of APIs from “winspool.drv”.
Eliminated one C2 area that was shut down by the supplier.

Extra adjustments in model 2.0:

This model adjustments the crypto algorithm to guard the configuration making it extra complicated to decrypt it.
Eliminated the final C2 that was shut down by the supplier.
Added a brand new C2 area.

These adjustments recommend the builders are lively on social media, with an curiosity in malware and safety researchers.
In contrast to some ransomware we’ve seen previously, equivalent to GandCrab , BlackMatter has good code, however it does have some design flaws that can be utilized in some circumstances to keep away from having the malware encrypt the recordsdata.
This vaccine just isn’t meant for use within the regular method, relatively solely in particular circumstances as, whereas it really works, different packages will be affected (we clearly can not take a look at all third occasion packages however potential points are more likely to embody knowledge corruption and unpredictable conduct), and the repair just isn’t everlasting.
Steps to make the vaccine (proceed at your personal danger):

Open regedit (or one other registry editor) and go to the important thing in HKEY_LOCAL_MACHINE> Cryptography.
On this key will be seen a string worth named “MachineGuid” with a particular worth. This worth is exclusive for the machine and is used for some purposes to determine the machine. BlackMatter makes use of it to make the mutex and, very importantly, the brand new extension for the encrypted recordsdata.
Make a brand new worth of kind string with a random identify and put the identical worth as seen in “MachineGuid” to have a backup of it.
Take away the “MachineGuid” worth, after which make it once more however with the binary kind As an alternative of string kind, with the identical identify, “MachineGuid”.
Shut the registry editor.

On this second BlackMatter can not have an effect on the machine because it wants the registry key to make the ransom extension, and a very powerful factor is, if it can not make it, it would return the perform WITHOUT decrypting the config that’s wanted too. On this case it would destroy the recycle bin and shadow volumes anyhow however later it would end because it doesn’t have any conduct to do, RSA Key to guard the recordsdata, or something to ship to the C2 because the flag was by no means learn from the config (and the default values are false for all of them).
Although the conduct of different packages could also be unpredictable, the vaccine is simple to make, and the system will boot, displaying that the BlackMatter programmers made a mistake within the design of the code.
This vaccine works for all variations, together with 2.0.
The pattern makes use of the next MITRE ATT&CK™ strategies:

Method ID
Method Description

Entry Token Manipulation
BlackMatter accesses and manipulates completely different course of tokens.

Information Encrypted for Impression
BlackMatter encrypts recordsdata utilizing a customized Salsa20 algorithm and RSA.

File and Listing Discovery
BlackMatter makes use of native features to enumerate recordsdata and directories looking for targets to encrypt.

Home windows File and Listing Permissions Modification
BlackMatter executes the command icacls “<DriveLetter>:*” /grant Everybody: F /T /C /Q to grant full entry to the drive.

Disable or Modify Instruments
BlackMatter stops companies associated to endpoint safety software program.

Native API
BlackMatter makes use of native API features in all code.

Course of Discovery
BlackMatter enumerates all processes to attempt to uncover safety packages and terminate them.

Service Cease
BlackMatter stops companies.

System Checks
BlackMatter tries to detect debuggers, checking the reminiscence reserved within the heap.

Community Share Discovery
BlackMatter will try to find community shares by constructing a UNC path within the following format for every driver letter, from A to Z: <IP><drive letter>$

System Info Discovery
BlackMatter makes use of features to retrieve details about the goal system.

Collect Sufferer Host Info
BlackMatter retrieves details about the consumer and machine.

Legitimate Accounts
BlackMatter makes use of legitimate accounts to logon to the sufferer community.

Boot or Logon Autostart Execution
BlackMatter installs persistence within the registry.

Question Registry
BlackMatter queries the registry for info.

Distant System Discovery
BlackMatter enumerates distant machines within the area.

Modify Registry
BlackMatter adjustments registry keys and values and units new ones.

BlackMatter is a brand new menace within the ransomware discipline and its builders know full nicely tips on how to use it to assault their targets. The coding fashion is remarkably much like DarkSide and, in our opinion, the individuals behind it are both the identical or have a really shut relationship.
BlackMatter shares lots of concepts, and to some extent code, with DarkSide:

Configurations are remarkably related, particularly with the final model of Darkside, moreover the change within the algorithm to guard it which, regardless of having much less choices, stays with the identical construction. We don’t assume that the builders of BlackMatter achieved this similarity by reversing DarkSide as that degree of coding ability would have allowed them to create a wholly new ransomware from the bottom up. Additionally, the concept that the DarkSide builders gave or offered the unique code to them doesn’t make any sense as it’s an previous product.
Dynamic features are utilized in the same strategy to DarkSide.
It makes use of the identical compression algorithm for the configuration.
The sufferer id is stored in the identical method as DarkSide.

You will need to hold your McAfee Enterprise merchandise up to date to the most recent detections and keep away from insecure distant desktop connections, preserve safe passwords which might be modified regularly, take precautions towards phishing emails, and don’t join pointless gadgets to the enterprise community.
Regardless of some efficient coding, errors have been made by the builders, permitting this system to be learn, and a vaccine to be created, although we are going to stress once more that it may well have an effect on different packages and isn’t a everlasting resolution and needs to be employed provided that you settle for the dangers related to it.
x3Cimg peak=”1″ width=”1″ fashion=”show:none” src=”″ />x3C/noscript>’);