The threat actors connected to the Black Basta ransomware have been seen varying their social engineering strategies and disseminating Zbot and DarkGate, among other payloads since early October 2024.
“Users within the target environment will be email bombed by the threat actor, which is often achieved by signing up the user’s email to numerous mailing lists simultaneously,” Rapid7 said. “After the email bomb, the threat actor will reach out to the impacted users.”
As was noted back in August, the attackers initially communicate with potential targets on Microsoft Teams by posing as the company’s IT or support staff. In several cases, they have also been seen posing as IT employees of the targeted company.
Installing trustworthy remote access programs like AnyDesk, ScreenConnect, TeamViewer, and Microsoft’s Quick Assist is advised for users who wind up interacting with the threat actors. Under the alias Storm-1811, the Windows manufacturer is pursuing the cybercriminal organization responsible for abusing Quick Assist for Black Basta deployment.
According to Rapid7, the ransomware team also attempted to exploit the OpenSSH client to create a reverse shell and deliver a malicious QR code to the affected user through chats, most likely to steal their login credentials while posing as a trustworthy mobile device.
ReliaQuest, a cybersecurity firm that previously covered the same campaign, hypothesized that the QR codes are being used to redirect visitors to other malicious equipment.
Additional payloads, such as a customized credential harvesting program followed by the execution of Zbot (also known as ZLoader) or DarkGate, which can act as a gateway for follow-on attacks, are then delivered to the compromised host via the remote access made possible by the installation of AnyDesk (or its equivalent).
“The overall goal following initial access appears to be the same: to quickly enumerate the environment and dump the user’s credentials,” Rapid7 security researcher Tyler McGraw said.
“When possible, operators will also still attempt to steal any available VPN configuration files. With the user’s credentials, organization VPN information, and potential MFA bypass, it may be possible for them to authenticate directly to the target environment.”
Following Conti’s closure in 2022, Black Basta arose as an independent organization from its ashes. Initially relying on QakBot to penetrate targets, the outfit later expanded into social engineering techniques. Since then, the threat actor—also known as UNC4393—has used a number of custom malware families to accomplish its goals.
- KNOTWRAP is a C/C++ memory-only dropper that has the ability to run an extra payload in memory.
- The malware is executed using the.NET-based tool KNOTROCK.
- DAWNCRY is a memory-only dropper that uses a hard-coded key to decrypt an embedded resource into memory.
- PORTYARD is a tunneler that uses a unique binary protocol via TCP to connect to a hard-coded command-and-control (C2) server.
- A.NET reconnaissance tool called COGSCAN is used to compile a list of all the hosts that are accessible on the network.
“Black Basta’s evolution in malware dissemination shows a peculiar shift from a purely botnet-reliant approach to a hybrid model that integrates social engineering,” RedSense’s Yelisey Bohuslavskiy said.
The revelation follows Check Point’s thorough examination of a modified Rust version of the Akira ransomware, which exposed the malware’s writers’ dependence on pre-made boilerplate code linked to third-party libraries and crates such as seahorse, rust-crypto, and indicatif.
Elpaco, a variation of the Mimic ransomware, has also been used in ransomware assaults, and CleanUpLoader is also used by Rhysida infections to help with persistence and data exfiltration. Malware frequently poses as installers for well-known programs like Google Chrome and Microsoft Teams.
“By creating typosquatted domains resembling popular software download sites, Rhysida tricks users into downloading infected files,” Recorded Future said. “This technique is particularly effective when coupled with SEO poisoning, in which these domains are ranked higher in search engine results, making them appear as legitimate download sources.”
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter
About us:
The Mainstream formerly known as CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, The Mainstream formerly known as CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, The Mainstream formerly known as CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK
