Askhat - stock.adobe.com

BlackByte ransomware attacks exploiting ProxyShell flaws

Red Canary said BlackByte's campaign is using wormable ransomware against organizations vulnerable to ProxyShell flaws in Microsoft Exchange.

A newer strain of ransomware known as BlackByte has been detected in instances of ProxyShell exploitation, according to managed detection and response vendor Red Canary.

Red Canary's report marks another case of ransomware being connected to ProxyShell, the name given to three Microsoft Exchange Server bugs that, chained together, are capable of elevation of privilege and remote code execution. In one instance of ransomware reported by threat intelligence provider The DFIR Report last month, threat actors used "almost no malware" to exploit ProxyShell and deliver BitLocker and DiskCryptor encryption software into the victim's network.

Patches are available for the ProxyShell flaws.

Like ProxyShell, BlackByte was first publicly reported in July. According to Harrison Van Riper, Red Canary senior intelligence analyst and co-author of the report, the ransomware operators exploit ProxyShell, which allows for pre-authentication remote code execution, by creating a draft email as a user that contains a web shell before exporting the whole mailbox as an ASPX file.

"The process of writing the ASPX file decodes the encoded web shell," Van Riper wrote in a blog post.

After successfully exploiting the victim via ProxyShell, Van Riper said the BlackByte operators "used their web shell to drop a Cobalt Strike beacon on the compromised Exchange server to allow more functionality directly on the compromised system."

This includes credential dumping as well as the installation of the remote desktop application AnyDesk, which is used to gain lateral movement. The operators then used Cobalt Strike, a popular penetration testing tool, to install and execute the ransomware.

The ransomware is also wormable, according to the blog post.

"Typically, we would expect Cobalt Strike to be the main driver behind privilege escalation and lateral movement within a compromised environment," Van Riper wrote. "However, BlackByte handles both of those on its own. In the sample we observed, BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption."

Van Riper told SearchSecurity in an email that the BlackByte analysis was limited to one malware sample but added that "most of [Red Canary's] analysis was based on surrounding activity affecting multiple endpoints during a single incident response engagement."

He also said the full scope of the campaign is currently unknown.

"We have limited visibility and there is no way of knowing the full scope of this campaign," Van Riper said. "However, we had excellent visibility into a single incident and decided to publish our analysis to help others who might be affected by this campaign."

Trustwave's SpiderLabs released a decryption tool for BlackByte in mid-October, which is currently available on GitHub.

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Next Steps

ProxyShell vs. ProxyLogon: What's the difference?

Dig Deeper on Threats and vulnerabilities