Coreid’s ransomware ecosystem continues evolving with Noberus, expanding cross-platform encryption and a growing data-exfiltration focus, supported by Exmatter and credential-stealing tools like Eamfo. Symantec/Sentinel Labs note ongoing affiliate updates and safeguards, highlighting a persistent, highly adaptable operation targeting multiple environments.
Keypoints
- Coreid operates Noberus as a ransomware-as-a-service, deploying affiliates for profit and continuously updating the operation to improve efficiency and scale.
- Noberus was first seen in Rust, showcasing cross‑platform capabilities that target Windows, ESXi, Debian, ReadyNAS, and Synology systems.
- The campaign includes a dual-encryption approach (ChaCha20 and AES) and multiple modes (Full, Fast, DotPattern, SmartPattern), with “intermittent encryption” highlighted by researchers.
- Affiliates can access features like DDoS tools, direct victim contact, and brute-force capabilities to crack NTDS, Kerberos tickets, and other hashes.
- Exmatter, a data-exfiltration tool, has been updated to exfiltrate a limited set of file types and to support FTP/SFTP/WebDav, with new reporting and self-destruct options.
- Eamfo is used to steal credentials from Veeam backup stores, enabling privilege escalation and lateral movement.
- GMER rootkit usage to kill processes indicates ongoing defences-evading techniques alongside data theft and encryption.
MITRE Techniques
- [T1486] Data Encrypted for Impact – The ransomware offers two encryption algorithms (ChaCha20 and AES) and four encryption modes, with SmartPattern encrypting in increments. ‘Full is the most secure but also the slowest mode. SmartPattern offers encryption of “N” megabytes in percentage increments.’
- [T1041] Exfiltration – Exmatter exfiltrates data to an attacker-controlled server prior to ransomware deployment on the victim’s network. ‘upload them to an attacker-controlled server prior to deployment of the ransomware itself on the victim’s network.’
- [T1555.003] Credentials in Password Stores – Infostealer.Eamfo steals credentials stored by Veeam and retrieves them via SQL. ‘The malware (Infostealer.Eamfo) is designed to connect to the SQL database where Veeam stores credentials, and it steal credentials with the following SQL query: select [user_name],[password],[description] FROM [VeeamBackup].[dbo].[Credentials]’
- [T1562.001] Impair Defenses – GMER rootkit usage to kill processes as a defensive evasion tactic. ‘GMER, a relatively old rootkit scanner that can be leveraged by ransomware actors to kill processes.’
- [T1110] Brute Force – Attackers can brute force NTDS, Kerberos tickets and other hashes. ‘Brute – making it possible to brute force NTDS, Kerberos tickets and other hashes for free’
- [T1499] Denial of Service – Affiliates’ Plus role includes DDoS against domains. ‘DDoS – used to target domains with DDoS attacks’
Indicators of Compromise
- [File Hashes] context – ad5002c8a4621efbd354d58a71427c157e4b2805cb86f434d724fc77068f1c40 – Trojan.Exmatter, 8c5b108eab6a397bed4c099f13eed52aeeec37cc214423bde07544b44a62e74a – Ransom.Noberus, 78517fb07ee5292da627c234b26b555413a459f8d7a9641e4a9fcc1099f06a3d – Infostealer.Eamfo (and 9 more hashes)
- [File Names] context – sync_enc.exe, without_cert.exe, vup.exe, morph.exe, locker.exe, isgmer.exe, kgeyauow.sys