Insights, news, education and announcements from PolySwarm

BlackByte NT

Written by The Hivemind | May 30, 2023 6:01:00 PM

Related Families: BlackByte

Executive Summary

BlackByte NT, the most recently discovered variant of BlackByte ransomware, was recently reported by DuskRise. BlackByte NT is written in C++ and contains a variety of anti-analysis techniques in an attempt to thwart malware analysts.

Key Takeaways

  • A new version of BlackByte ransomware was recently discovered.
  • Dubbed BlackByte NT, the new variant is written in C++.
  • BlackByte NT includes multiple anti-analysis techniques to thwart both static and dynamic analysis.

What is BlackByte NT?

DuskRise recently reported on a new variant of BlackByte known as BlackByte NT. BlackByte is a well-known ransomware as a service (RaaS). BlackByte was originally written in C#, and a later variant was written in Go. The most recent variant, BlackByte NT, is written in C++.

The BlackByte NT sample DuskRise analyzed is a 64-bit portable executable with a compile date in early 2023.  BlackByte NT includes anti-analysis techniques to thwart both static and dynamic malware analysis. One way it accomplishes this is by using dynamic import of APIs needed for execution. It uses a function to find the DLL and a function to import the needed procedure by using the hash of their names. DuskRise researchers had to use an IDAPython script to retrieve invocations to the functions used for dynamic API loading to perform static analysis.

After a function receives the hash of the module or function it is meant to load, the Process Environment Block (PEB) structure of the binary is parsed to access the list of DLLs loaded in process memory, as well as their export function names. The PEB structure is also used for an anti-debug check. If the arguments passed during execution do not have the expected flags, BlackByte NT terminates execution.

If svc is provided as an argument, BlackByte NT launches a new thread to register a new service using a random seven-character name. This helps to establish persistence and is performed using syscalls instead of Windows API libraries. This method can also be used to hinder debugger-hiding tools such as ScyllaHide. BlackByte NT also uses a technique to terminate execution if the malware is launched in a sandbox. When all APIs are retrieved, BlackByte NT performs additional checks to detect debuggers and hardware breakpoints.

BlackByte NT also includes an upgrade to the previous version’s Bring Your Own Vulnerable Driver (BYOVD) exploit, with new drivers used for the exploit. This new version disables security tools that attempt to interfere with its execution.

If no debuggers, sandboxes, or other analysis tools are detected, BlackByte NT scans the list of running processes and injects itself into svchost.exe, then proceeds to encrypt files on the victim machine. It appends the .blackbytent extension to the end of each encrypted file.

IOCs

PolySwarm has a sample of BlackByte NT.

 

02a0a39dbe0dcb5600f4179aeab457bb86965699e45d1d154082b02139dc701d

 

You can use the following CLI command to search for all BlackByte NTsamples in our portal:

$ polyswarm link list -f BlackByteNT

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports

 
View full post