Skip to main content Link Menu Expand (external link) Document Search Copy Copied
Category Details References
First Observed December 2021 1
Threat Actors MS DEV-0504
MS DEV-0237
Platforms Windows and ESXi 4
Extensions 7 characters in length, specified in config file 5
Ransomware Notes RECOVER-[EXTENSION]-FILES.txt 5
Services It Disables IIS, Antivirus, backup service, recovery tool in Windows boot menu and clear Windows event logs 6
Other Observables Also named ALPHV and Noberus 7
Automatically Gains Access Yes (exploiting Exchange servers, using remote access tools or getting compromised credentials within dark markets) 8
Automatically Escalates Privileges Yes.
Several techniques including Masquerade_PEB, UAC bypass via elevated COM interface, and CreateProcessWithLogonW exploit
Requires Human Interaction Yes  
Automatic Exfiltration Yes (through MegaSync, Filezilla and WinSCP) 8
Automatic Propagation Yes.
Uses NetBIOS command to get list of computers and launches using PsExec and configured credentials.

Other Notes:

  • Written in Rust.
  • Each binary is custom to each target
  • “Exmatter” exfiltration program updated in August 2022 to specifically limit type of files to exfiltrate to: PDF, DOC, DOCX, XLS, PNG, JPG, JPEG, TXT, BMP, RDP, SQL, MSG, PST, ZIP, RTF, IPT, and DWG. 7

Please note, this page was last updated at 2023-03-14 20:21.