Threat actors associated with Black Basta ransomware have been observed to switch their social engineering tacticsdistributing a different set of payloads, e.g Zbot and DarkGate from the beginning of October 2024.
“Users in the target environment will be bombarded with email from the threat, which is often achieved by registering the user’s email to multiple mailing lists at the same time,” Rapid7. said. “After email bomb, threat actor will reach out to affected users.”
How is observed back in August, attackers made their first contact with potential targets in Microsoft Teams by impersonating an organization’s support or IT staff. In some cases, they were also seen impersonating the target organization’s IT staff.
Users who end up interacting with threat actors are encouraged to install legitimate remote access software such as Microsoft’s AnyDesk, ScreenConnect, TeamViewer, and Quick Assist. Windows maker tracks down cybercriminal group behind Quick Assist abuse to deploy Black Basta called Storm of 1811.
Rapid7 said it also discovered attempts by the ransomware team to use the OpenSSH client to create a reverse shell, and send a malicious QR code to the victim user via chats, presumably to steal their credentials under the guise of adding a trusted mobile phone. the device.
However, cybersecurity company ReliaQuest, which also reported during the same campaign suggested that QR codes were being used to direct users to further malicious infrastructure.
The remote access facilitated by the installation of AnyDesk (or its equivalent) is then used to deliver additional payloads to the compromised host, including a custom credential harvester followed by the execution of Zbot (aka ZLoader) or DarkGate, which can act as a gateway to the following attacked.
“The overall goal after initial access appears to be the same: to quickly re-enumerate the environment and reset the user’s credentials,” said Rapid7 security researcher Tyler McGraw.
“If possible, operators will also try to steal any available VPN configuration files. With the user’s credentials, VPN organization information, and potentially bypassing MFA, they can authenticate directly to the target environment.”
Black Basta emerged as an autonomous group from the ashes of Conti on a wave disabling the latter in 2022, initially based on QakBot to penetrate targets before moving on to social engineering techniques. A threat actor, also known as UNC4393have since been commissioned various custom malware families fulfill your goals –
- KNOTWRAP, a memory-only dropper written in C/C++ that can perform additional in-memory payloads
- KNOTROCK, a .NET-based utility used to run ransomware
- DAWNCRY, a memory-only dropper that decrypts an in-memory resource with a hardcoded key
- PORTYARD, a tunneler that establishes a connection to a hard-coded command and control (C2) server using a custom binary protocol over TCP
- COGSCAN, a .NET intelligence assembly used to collect a list of hosts available on a network
“Black Basta’s evolution in malware distribution shows a distinct shift from a botnet-only approach to a hybrid model that incorporates social engineering,” – RedSense’s Elisey Boguslavsky. said.
Disclosure occurs as Check Point in detail his analysis of an updated version of Rust Akira ransomware that highlights the dependency of malware authors on ready-made boilerplate code linked to third-party libraries and boxes such as indicative, rust-crypto, and seahorse.
Ransomware attacks also used a variant of Mimic ransomware called Mimic elkwith Rhysida infections are also used CleanUpLoader to assist in data theft and retention. Malware often disguises itself as installers for popular software such as Microsoft Teams and Google Chrome.
“By creating typosquatted domains that resemble popular software download sites, Rhysida tricks users into downloading infected files,” Recorded Future said. “This technique is particularly effective when combined with SEO poisoning, where these domains rank higher in search engine results, making them look like legitimate download sources.”
