ul
Christian Erdmann
The idea behind DET was to create a generic tool-kit to plug any kind of protocol/service to test implemented Network Monitoring and Data Leakage Prevention (DLP) solutions configurations, against different data exfiltration techniques.
The Data Exfiltration Toolkit (DET) is one of the easiest tools to use on the market. It was created by Sensepost ( ) to test Data Leakage Prevention (DLP) solutions for data exfiltration. The toolkit can be utilized by attackers in a real environment to exfiltrate data using ICMP , social media platforms such as Twitter, or through emails via Gmail.
DET (is provided AS IS), is a proof of concept to perform Data Exfiltration using either single or multiple channels(s) at the same time. The idea was to create a generic toolkit to plug any kind of protocol/service. The idea was to create a generic toolkit to plug any kind of protocol/service to test implemented Network Monitoring and Data Leakage Prevention (DLP) solutions configuration, against different data exfiltration techniques.Data Exfiltration Toolkit
During the same period, APT actors implanted Impacket, a Python toolkit for programmatically constructing and manipulating network protocols, on another system. The actors used Impacket to attempt to move laterally to another system.
In April 2021, APT actors used Impacket for network exploitation activities. See the Use of Impacket section for additional information. From late July through mid-October 2021, APT actors employed a custom exfiltration tool, CovalentStealer, to exfiltrate the remaining sensitive files. See the Use of Custom Exfiltration Tool: CovalentStealer section for additional information.
Once the security research receives an email with encrypted data in it, they can paste it in to the decrypter form to decypt the data (again, over https or done locally to keep the data confidential).
One of the first challenges is the limited memory of the boards, this required a creative solution for scripting the keystrokes necessary to exfiltrate data, kudos to PeterF who on this thread provided a way of saving memory by retrieving strings as needed, keeping them in storage until then.
This report provides an in-depth insight into the functionalities and architecture of StealBit as well as the evolution of relevant configuration and implementation aspects of StealBit across different samples. The detailed insight into how StealBit works and evolves is important for the timely detection of ransomware attack operations that involve StealBit at the point when malicious actors exfiltrate data before deploying ransomware.
Developed for maximum data exfiltration efficiency: StealBit implements the Microsoft input/output (I/O) completion port threading model to maximize the overall efficiency of data exfiltration activities. For example, StealBit parallelizes the exfiltration of the content of multiple files to shorten the overall exfiltration timespan. This is important to ransomware operators, since fast data exfiltration reduces the chances of being discovered in the process.
Developed for maximum usage convenience and scalability: StealBit implements interprocess communication (IPC) between multiple StealBit processes that run on a single compromised system to designate many files for exfiltration in a scalable manner. In addition, StealBit supports dragging and dropping of files or folders for exfiltration to StealBit windows in scenarios where the StealBit operators have access to the graphical user interface of compromised systems. This feature enables StealBit operators to designate many files for exfiltration in a convenient and scalable manner.
Somewhat incomplete implementation: The implementation of some StealBit features that we analyzed is not complete. This includes features that the LockBit threat group advertises as advantageous to alternative exfiltration tools on the underground market, such as compression of exfiltrated data and a hidden mode of operation. For example, a recent StealBit sample that we analyzed does not compress exfiltrated data and does not properly hide the windows that StealBit creates, making the malware visible in the graphical user interface of the compromised system.
StealBit Malware Detected and prevented: The Cybereason XDR Platform effectively detects and prevents StealBit when the malware exfiltrates data, and also detects and prevents the execution of the related LockBit ransomware, which LockBit affiliates may execute after they use StealBit to exfiltrate data for double extortion.
The traditional ransomware extortion tactic, where malicious actors demand payment for decrypting data that the actors have encrypted using ransomware, does not always work as intended. Victims may not pay ransom for several reasons, such as lack of financial resources, concerns that ransomware operators may not decrypt the data, or the availability of backups of the encrypted data.
Therefore, many modern ransomware operators use a double extortion tactic: ransomware operators exfiltrate data from compromised systems before encrypting the data, and if the victim refuses to pay ransom for data decryption, the malicious actors threaten to leak the exfiltrated data online or sell the data for profit.
Since the double extortion tactic relies on exfiltrated data, data exfiltration tools are crucial to ransomware operators that use this tactic. Ransomware operators use publicly available tools for data exfiltration, such as Rclone, as well as custom data exfiltration tools that are intended specifically for use in ransomware operations. Some custom data exfiltration tools are Ryuk Stealer, the recently discovered Exmatter, and StealBit.
The StealBit malware is a data (file content) exfiltration tool that the LockBit threat group develops and maintains. StealBit exfiltrates file content to remote attacker-controlled endpoints for double extortion purposes. In addition to StealBit, the LockBit threat group develops and maintains the LockBit ransomware, which has a strong presence on the ransomware threat scene.
As of June 2021, the LockBit group runs a ransomware affiliate program, LockBit 2.0, which provides access to the LockBit ransomware and the StealBit data exfiltration tool to affiliates. As part of affiliate recruitment efforts, the LockBit group advertises the features of the LockBit ransomware and StealBit by comparing the ransomware and StealBit to alternative solutions. The LockBit group claims that StealBit is superior, especially in terms of data exfiltration speed:
This report provides an in-depth and comprehensive insight into the functionalities, architecture, and evolution of StealBit. The detailed insight into how StealBit works and evolves is important to build proper detection and protection strategies against the malware. This, in turn, is crucial for the timely detection of ransomware operations that involve StealBit at the point when malicious actors exfiltrate data before deploying ransomware.
In summary, StealBit implements named pipe-based IPC between multiple StealBit processes that run on a single compromised system. We show later in this section that this enables StealBit operators to designate many files for exfiltration in a scalable manner by executing StealBit named pipe clients with the command line parameter set to the paths to the files. This makes the overall process for exfiltrating the content of multiple files convenient and efficient for StealBit operators:
After creating the named pipe file STEALBIT-MASTER-PIPE, the StealBit named pipe server creates and starts two threads: one that creates two windows, and one that shows a message about exfiltration progress.
The drag and drop feature enables malicious actors to conveniently provide many file or folder paths to StealBit for file content exfiltration in scenarios where the StealBit operators have access to the graphical user interface of compromised systems, such as through an Remote Desktop Protocol (RDP) session. This makes the overall process for exfiltrating the content of many files practically convenient and scalable for StealBit operators.
The second thread is active during the overall operation of StealBit and displays a message in the StealBit window that informs the operator about the progress of file content exfiltration when exfiltration takes place. In the form of a format string, the message is: Stats: %I64d files (size %S), read speed %S/sec (compression ratio %I64d%%), upload %S/sec. This format string is one of the strings that StealBit has previously decrypted using the RC4 algorithm.
After initializing the Windows Socket library, StealBit establishes its core functionality: the Microsoft I/O completion port threading model for processing multiple asynchronous I/O requests in parallel. StealBit implements the I/O completion port threading model to maximize the overall efficiency of file content exfiltration activities on compromised systems. For example, as we show later in this section, StealBit parallelizes the exfiltration of the content of multiple files to shorten the overall exfiltration timespan. This is important to ransomware operators, since fast data exfiltration reduces the chances of being discovered in the process.
I/O completion packets carry information about the I/O operation. The application can then process I/O completion packets by removing them from the queue in a first-in-first-out (FIFO) order. In addition to a file handle, an application may associate a handle-specific I/O completion key with an I/O completion port. I/O completion keys can carry arbitrary data, which is typically data related to the handle. The figure below depicts the I/O completion port threading model that StealBit implements:
To evade exfiltration detection mechanisms that monitor the amount of sent data to remote endpoints over time, StealBit operators can configure StealBit to exfiltrate file content at a given rate (amount of exfiltrated file content over 15 seconds) by configuring the -net/-n or -once/-o command line parameters. These parameters control the file content exfiltration rate by controlling the rate at which StealBit reads file content.
aa06259810