Black Basta Ransomware Teams Up with Malware Stalwart Qbot

by | Jun 9, 2022 | News

ransomware

Post Views: 212

Premium Content

patreon

Subscribe to Patreon to watch this episode.

 

Reading Time: 2 Minutes

Black Basta, a ransomware group that emerged in April, leveraged Qbot, (a.k.a. Quakbot), to move laterally on compromised networks.

 

The novel cybercriminal group tapped the ever-evolving info-stealing trojan to move laterally on a network in a recent attack, researchers have found.

A newcomer on the ransomware scene has coopted a 14-year-old malware variant to help it maintain persistence on a targeted network in a recent attack, researchers have found.

“Qakbot was the primary method utilized by the threat actor to maintain their presence on the network,” NCC Group’s Ross Inman and Peter Gurney wrote in the post.

Qbot emerged in 2008 as a Windows-based info-stealing trojan capable of keylogging, exfiltrating cookies, and lifting online banking details and other credentials. Since then it has stood the test of time through constant evolution, morphing into sophisticated malware with clever detection-evasion and context-aware delivery tactics, as well as phishing capabilities that include e-mail hijacking, among others.

Black Basta is, in contrast, a relative baby when it comes to cyber-criminality. The first reports of an attack by the ransomware group occurred only a few months ago.

 

 

See Also: So you want to be a hacker?
Complete Offensive Security and Ethical Hacking Course

 

 

 

Solutions

 

 

Black Basta, like many others of its kind, uses uses double-extortion attacks in which data is first exfiltrated from the network before the ransomware is deployed. The group then threatens to leak the data on a Tor site that it uses exclusively for this purpose.

 

Qbot in the Mix

 

It’s not unusual for ransomware groups to leverage Qbot in the initial compromise of a network. However, Black Basta’s use of it appears to be unique, researchers said.

“The seriousness and efficiency of the collaboration cannot be underestimated,” observed Garret Grajek, CEO of security firm YouAttest, who said in an email to Threatpost that the finding also ups the ante in terms of how organizations must protect themselves.

NCC Group discovered the attack when they noticed a text file in the C:\Windows\ folder named pc_list.txt that was present on two compromised domain controllers, they said.

“Both contained a list of internal IP addresses of all the systems on the network,” researchers wrote. “This was to supply the threat actor with a list of IP addresses to target when deploying the ransomware.”

Once the ransomware group gained access to the network and created a PsExec.exe in the C:\Windows\folder, it used Qbot remotely to create a temporary service on a target host, which was configured to to execute a Qakbot DLL using regsvr32.exe, researchers wrote.

 
 
 
 
 

See Also: Hackers steal WhatsApp accounts using call forwarding trick

 

 

 

To proceed with lateral movement, Black Basta then used RDP along with the deployment of a batch file called rdp.bat–which contained command lines to enable RDP logons. This allowed the threat actor to establish remote desktop sessions on compromised hosts, which occurred even if RDP was disabled originally, researchers said.

 

Evasion Tactics and Ransomware Execution

 

Researchers managed to observe specific characteristics of a Black Basta attack in their investigation of the incident, including how it evades detection as well as executes ransomware on the compromised system, they said.

The group commences nefarious activity on a network even before it deploys ransomware by establishing RDP sessions to Hyper-V servers, modifying configurations for the Veeam backup jobs and deleting the backups of the hosted virtual machines, researchers said. It then uses WMI (Windows Management Instrumentation) to push out ransomware, they said.

During the attack, two specific steps also were taken as evasion tactics to prevent detection and disable Windows Defender. One was to deploy the batch script d.bat locally on compromised hosts and execute PowerShell commands, while another involved creating a GPO (Group Policy Object) on a compromised Domain Controller. The latter would push out changes to the Windows Registry of domain-joined hosts to slip through protections, researchers said.

Once it’s deployed, Black Basta ransomware itself, like many ransomware variants, doesn’t encrypt the entire file, researchers found. Instead, it “only partially encrypts the file to increase the speed and efficiency of encryption,” by encrypting 64-byte blocks of a file interspaced by 128-bytes, they wrote.

 

See Also: Offensive Security Tool: DeepSleep

 

To modify files, the group also uses an earlier-generated RSA encrypted key and 0x00020000, which are appended to the end of the file to be used later for decryption purposes, researchers said. Following successful encryption of a file, its extension is changed to .basta, which automatically adjusts its icon to the earlier drop icon file, they added.
 

 

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?

If you want to express your idea in an article contact us here for a quote: [email protected]

 

 

 

See Also: Kevin Poulsen, aka Dark Dante, and his hacking activities on ARPANET’s networks

 

Source: threatpost.com

Source Link

 

 

 

 

 

Merch

Share This