In an aggressive and widespread campaign, Black Basta malware is using Qakabot malware - also referred to as QBot or Pinkslipbot - as its initial vector of compromise, which is an.IMG file. This campaign has targeted 10 to 15 different customers over the last two weeks, with a majority of the focus being on US-based companies.
In a threat advisory published by Cybereason Global SOC (GSOC) on November 23, the threat advisory states that the infection is typically initiated by spam or phishing emails that contain malicious links, with Black Basta mainly using Qakbot to stay active on victims’ networks by deploying malicious URL links as their primary method of spreading the infection.
"The Black Basta ransomware gang is using Qakbot malware to construct an initial point of entry within a target organization's network, allowing it to move laterally and further infiltrate the network," according to the report.
There have been several groups that have augmented the functionality of Qakbot with additional modules. These groups have been demonstrated to be useful for information theft, backdoors, and website downloaders. A new method of delivering Qakbot's malicious payload has been adopted, and it is no longer delivering it using JavaScript. Instead, it uses Visual Basic. SS
Researchers noted that during the compromise of the domain controller, the threat actor also used Cobalt Strike to gain remote access to the server. This was done to capture data from the machine. The attacker then released ransomware, which in turn disabled security mechanisms such as intrusion detection and prevention and anti-virus programs.
In the report, the frequency with which attacks take place is highlighted as one of the most concerning aspects. Having gained access to domain administrators' privileges within two hours of obtaining them, ransomware was deployed and was able to be extracted within half a day.
GSOC observed that a threat actor in more than one attack disabled DNS services locking the victim out of the network, and making it more difficult for him to recover from the attack.
"Taking all of these observations into consideration, we recommend that security and detection teams keep an eye out for this campaign, which can quickly deteriorate IT infrastructure," the report reads.
Organizations are advised to take proactive measures such as identifying and blocking malicious network connections, resetting Active Directory access, engaging in incident response efforts, and cleaning up compromised machines, as described in the report.
Adding capabilities to Qakbot's operations
There has been an uptick in operations by the Qakbot group lately. Over the past couple of years, they have infected systems, installed attack frameworks, and sold access to other groups, including the Black Basta group.
As the company continues to expand its access-as-a-service network, it has managed to compromise hundreds of companies with common second-stage payloads, including Emotet malware and two popular attack platforms, enabling the organization to conduct more attacks.
Several Qakbot operators were observed using DLL sideloading to deliver malware. This is a technique that allows legitimate and malicious files to be placed together in the same directory to escape detection.
Black Basta is backed by the FIN7 label
As one of the most prolific ransomware families in recent years, Black Basta is making its ransomware as a service offering available on underground forums in several countries, which means there may be multiple operators with access to Black Basta in their toolkit, making it difficult to attribute the virus to any particular operator.
While the group has been operating since at least February, it was only discovered two months later that its existence had been detected. A VMware ESXi virtual machine running on a Linux server must be infected with the application to encrypt files in a specific volume folder. As a global organization, the group targets English-speaking countries both domestically and internationally.
Black Basta is one of the most prominent cybercrime operations that has emerged recently, and according to researchers at SentinelOne, it has been associated with FIN7, a group of financially motivated cybercriminals estimated to have stolen well over $1.2 billion since its inception in 2012.
