Security News > 2022 > September > Noberus ransomware gets info-stealing upgrades, targets Veeam backup software
An extensively updated version of the Exmatter data exfiltration tool was seen last month being used with Noberus in ransomware infections, and at least one affiliate using Noberus was detected using Eamfo, the info-stealing malware that connects to the SQL database where a victim's Veeam backup software installation stores credentials, according to researchers in Symantec's Threat Hunting Team.
Coreid has continuously updated Noberus since it first emerged in November 2021, shortly after BlackMatter was retired in a suspected move by the ransomware gang to stay ahead of law enforcement.
"The continuous updating and refining of Noberus' operations shows that Coreid is constantly adapting its ransomware operation to ensure it remains as effective as possible," the Symantec researchers wrote, noting that an FBI warning in April said that at least 60 organizations around the world have been compromised by Noberus and that "The number of victims now is likely to be many multiples of that."
The Symantec researchers say it's unclear whether Coreid or one of the RaaS affiliates created Exmatter itself, "But its use alongside two different iterations of Coreid's ransomware is notable. Its continuous development also underlines the focus of the group on data theft and extortion, and the importance of this element of attacks to ransomware actors now."
The Eamfo info-stealer has been around since at least August 2021 and may have been used by attackers alongside the Yanluowang and LockBit ransomware families, as well as a new ransomware variant called Monti, which the researchers wrote could be based on the leaked Conti source code and is developed by the threat group Miner.
The Noberus attacks that include Eamfo also use GMER, an old rootkit scanner used by ransomware groups to kill processes in compromised systems.
News URL
https://go.theregister.com/feed/www.theregister.com/2022/09/25/noberus_ransomware_symantec/