"BlackMatter Group Speeds Up Data Theft with New Tool"

Security researchers at Symantec have discovered a new data exfiltration tool designed to accelerate information theft for ransomware groups using the BlackMatter variant.  Dubbed “Exmatter,” the tool is designed to steal specific file types from selected directories and then upload them to a server under the control of BlackMatter attackers.  The researchers stated that this process of whittling down data sources to only those deemed most profitable or business-critical is designed to speed up the whole exfiltration process, presumably so the threat actors can complete their attack stages before being interrupted.  After retrieving the drive names of all logical drives on a victim computer and collecting all file pathnames, Exmatter disregards anything under specific directories such as “C:\Documents and Settings.”  The tool only exfiltrates specific file types such as PDFs, Word docs, spreadsheets, and PowerPoints and aims to prioritize those for exfiltration using LastWriteTime.  Once exfiltration has been completed, Exmatter looks to overwrite and delete any traces of itself from the victim’s computer.  The researchers noted that they found various versions of the tool, indicating that its developers have tried to refine its functionality to accelerate the process of data theft as far as possible.  

Infosecurity reports: "BlackMatter Group Speeds Up Data Theft with New Tool"