RaaS Operator Coreid Has Evolved Again With New Tool Called ‘ExMatter’
The ransomware community behind the Colonial Pipeline hack previously developed new tactics, tools, and strategies for its operation, making it even effortless for its members to encrypt, steal and sort data.
Recently, in a report from the Symantec Threat Hunter Team, researchers assessed the newest transitions of a group they named Coreid.
Continuous Sophisticated Updating Enhanced Ransomware Group
Symantec researchers summed up how the group has eluded law enforcement by deploying new ransomware tensions, having now settled on Noberus.
The threat actors have existed in some structure since 2012, a researcher said it began using the Carbanak malware to steal money from organizations in the banking, hospitality, and retail sectors.
In 2018 Three members of the group were arrested before it evolved into a ransomware-as-a-service (RaaS) operation around 2020.
Coreid has continually remodeled its ransomware operation since the attack on Colonial Pipeline — in which it used Darkside ransomware to destabilize gas stations across the East Coast in May 2021.
Notably, Noberus spurred attention when it was first seen in November 2021 because it was coded in Rust, and this was the first time we had seen a professional ransomware pressure used in real-world attacks coded in that programming language.
Exmatter A Powerful Exfiltration Tool
Coreid — known by some security firms as FIN7 or Carbon Spider — utilizes a RaaS operation in which the group splits disbursed ransoms with the affiliate in charge of the attack itself.
By June and July of 2022, Symantec says Coreid escalated things by initiating a way to encrypt non-standard architectures and numerous other features.
However, they even obtained another feature from other groups that enabled their data leak sites to be searchable by keyword, file type, and more.
Arguably, the continuous updating and refining of Noberus’ systems show Coreid is always adapting its ransomware operation to guarantee it stays as effective as possible, the researchers said.
Last month, Coreid added a powerful data exfiltration tool targeted at the most popular file types: .pdf, .doc, .docx, .xls, .xlsx, .png, .jpg, .jpeg, .txt a, and more.
The tool — named Exmatter — was remodeled to give cybercriminals the capacity to not only create a report of all the stolen files but infect the files that had already been processed. It can even be allowed to self-destruct under specific parameters.
