Dec 09, 2024Ravie LakshmananThreat Intelligence / Malware

The threat actors linked to the Black Basta ransomware have been observed switching up their social engineering tactics, distributing a different set of payloads such as Zbot and DarkGate since early October 2024.

“Users within the target environment will be email bombed by the threat actor, which is often achieved by signing up the user’s email to numerous mailing lists simultaneously,” Rapid7 said. “After the email bomb, the threat actor will reach out to the impacted users.”

As observed back in August, the attackers make initial contact with prospective targets on Microsoft Teams, pretending to be support personnel or IT staff of the organization. In some instances, they have also been observed impersonating IT staff members within the targeted organization.

Users who end up interacting with the threat actors are urged to install legitimate remote access software such as AnyDesk, ScreenConnect, TeamViewer, and Microsoft’s Quick Assist. The Windows maker is tracking the cybercriminal group behind the abuse of Quick Assist for Black Basta deployment under the name Storm-1811.

Rapid7 said it also detected attempts made by the ransomware crew to leverage the OpenSSH client to establish a reverse shell, as well as send a malicious QR code to the victim user via the chats to likely steal their credentials under the pretext of adding a trusted mobile device.

However, cybersecurity company ReliaQuest, which also reported on the same campaign, theorized the QR codes are being used to direct users to further malicious infrastructure.

The remote access facilitated by the installation of AnyDesk (or its equivalent) is then used to deliver additional payloads to the compromised host, including a custom credential harvesting program followed by the execution of Zbot (aka ZLoader) or DarkGate, which can serve as a gateway for follow-on attacks.

“The overall goal following initial access appears to be the same: to quickly enumerate the environment and dump the user’s credentials,” Rapid7 security researcher Tyler McGraw said.

“When possible, operators will also still attempt to steal any available VPN configuration files. With the user’s credentials, organization VPN information, and potential MFA bypass, it may be possible for them to authenticate directly to the target environment.”

Black Basta emerged as an autonomous group from the ashes of Conti in the wake of the latter’s shutdown in 2022, initially leaning on QakBot to infiltrate targets, before diversifying into social engineering techniques. The threat actor, which is also referred to as UNC4393, has since put to use various bespoke malware families to carry out its objectives –

• KNOTWRAP, a memory-only dropper written in C/C++ that can execute an additional payload in memory
• KNOTROCK, a .NET-based utility that’s used to execute the ransomware
• DAWNCRY, a memory-only dropper that decrypts an embedded resource into memory with a hard-coded key
• PORTYARD, a tunneler that establishes a connection to a hard-coded command-and-control (C2) server using a custom binary protocol over TCP
• COGSCAN, a .NET reconnaissance assembly used to gather a list of hosts available on the network

“Black Basta’s evolution in malware dissemination shows a peculiar shift from a purely botnet-reliant approach to a hybrid model that integrates social engineering,” RedSense’s Yelisey Bohuslavskiy said.

The disclosure comes as Check Point detailed its analysis of an updated Rust variant of the Akira ransomware, highlighting the malware authors’ reliance on ready-made boilerplate code associated with third-party libraries and crates like indicatif, rust-crypto, and seahorse.

Ransomware attacks have also employed a variant of the Mimic ransomware called Elpaco, with Rhysida infections also employing CleanUpLoader to aid in data exfiltration and persistence. The malware is often disguised as installers for popular software, such as Microsoft Teams and Google Chrome.

“By creating typosquatted domains resembling popular software download sites, Rhysida tricks users into downloading infected files,” Recorded Future said. “This technique is particularly effective when coupled with SEO poisoning, in which these domains are ranked higher in search engine results, making them appear as legitimate download sources.”