Self Assessment

BLACK BASTA : RANSOMWARE

Published On : 2024-11-13
Share :
BLACK BASTA : RANSOMWARE

EXECUTIVE SUMMARY

Black Basta, known for its targeted attacks across multiple industries, emerged as a formidable ransomware group in 2022. Leveraging social engineering and advanced malware, the group systematically compromises networks, demanding ransoms under the threat of data exposure. Their evolving tactics highlight the urgent need for strong defenses and proactive cybersecurity strategies.

INTRODUCTION

Black Basta, a prominent Ransomware-as-a-Service (RaaS) group, emerged in April 2022 and has rapidly gained notoriety for targeting various sectors, including construction, healthcare, manufacturing, finance, retail, and entertainment. Black Basta ransomware has compromised more than 500 organizations across the Globe. The group employs a range of tactics, including phishing, exploitation of vulnerabilities, and double extortion. Their operations involve meticulous reconnaissance, credential dumping, privilege escalation, and systematic exfiltration of sensitive information to maximize pressure on victims, compelling them to pay the ransom.

ASSESSMENT

Details of payloads used by the Black Basta team in action, including the possibility of blocking the said payload via hash in NGAV or ED

Use of legitimate remote desktop access tool: Threat actor(s) send numerous spam emails to the target and then contact them on Microsoft Teams, posing as IT help desk support staff, with the aim of installing remote desktop software, such as AnyDesk or Quick Assist on the target system.

1st Payload Installation: Once connected to the victim over a remote desktop, the threat actor installs payload disguised as Anti-Spam software with names such as AntispamAccount.exe, AntispamUpdate.exe, and AntispamConnectUS.exe.

  • Malware name: AntispamConnectUS.exe
  • File Size: 2.14 MB (2245632 bytes)
  • MD5: 3ea66e531e24cddcc292c758ad8b51d5
  • SHA256: cf7af42525e715bd77f8465f6ac0fd9e5bea0da0

This payload is a proxy malware also known as SystemBC, which has been used by Black Basta in the past.

SystemBC is a type of Remote Access Trojan (RAT) first observed in the wild in 2018. It functions as a SOCKS5 proxy, creating a tunnel that retrieves proxy-related commands from a C2 server using a custom binary protocol over TCP. This allows threat actors to maintain persistent access to a compromised network.

Additionally, it can conceal communication with the Command and Control (C2) server and deliver other malware strains. SystemBC has been used by various threat actors in multiple campaigns, often in conjunction with other malware families, such as Rhysida, Black Basta, Cuba, Gootloader, Cobalt Strike, and Emotet.

To block the payloads used by the Black Basta group via hash in Next-Generation Antivirus (NGAV) or Endpoint Detection and Response (EDR) systems, you can follow these steps:

  • Access NGAV or EDR Console: Log into the management console of your NGAV or EDR solution. This could be a platform like Microsoft Defender, CrowdStrike, SentinelOne, or any other solution you are using.
  • Navigate to the Threat Management Section: Look for the section where you can manage threats, which might be labeled as “Threat Management”, “Policy Management”, or “Security Settings”.
  • Add the Hash Values: Find the option to add or block files by hash. This is usually under a section like “Indicators of Compromise (IoC)” or “Custom Indicators.” Enter the MD5 and SHA256 hash values of the malicious files.
  • Save and Apply the Policy: After adding the hash values, save the changes and apply the policy. This will ensure that any file matching these hash values will be blocked from executing on any endpoint protected by your NGAV or EDR solution.

2nd Payload Installation: After installing the fake anti-spam program (AntispamConnectUS.exe), the threat actor leverages its capability to install the second payload which is Cobalt Strike.

The Black Basta group has been known to use Cobalt Strike as part of their attack toolkit. Once the communication is set up after launching AntispamConnectUS.exe on the victim’s PC, the threat actor deploys Cobalt Strike beacons to establish a foothold. These beacons allow them to move laterally within the network, execute commands, and deploy additional payloads.

Cobalt Strike allows them to navigate through the network, and identify and compromise critical systems, often using tools like Brute Ratel and QakBot for assistance. The beacons provide a persistent and encrypted communication channel with the attacker’s command and control (C2) server, ensuring remote control of the infected machines. Ultimately, after gaining control and identifying valuable data, Black Basta deploys their ransomware to encrypt files and demand a ransom for decryption and non-release of stolen data.

List of possible Entra ID tenants that are correlated or used to launch the social engineering attack
Cybercriminals are using a new trick where they first flood an employee’s email with spam. Then, instead of calling, they message the employee on Microsoft Teams, pretending to be from the IT help desk and offering to help with the spam issue.

They create fake accounts that look like real help desk addresses, such as:

  • securityadminhelper.onmicrosoft[.]com
  • supportserviceadmin.onmicrosoft[.]com
  • supportadministrator.onmicrosoft[.]com
  • cybersecurityadmin.onmicrosoft[.]com

How Microsoft Teams enable external communication:
Microsoft Teams allows users from outside of an organization to communicate with internal employees by creating external user accounts, often under specific names or profiles that can resemble legitimate helpdesk or IT support accounts. In recent incidents, attackers exploited this feature to pose as IT support, contacting employees directly on Teams. They created Entra ID tenant accounts designed to look like internal support, using names such as “supportadministrator” or “cybersecurityadmin” with display names including terms like “Help Desk” to seem authentic. This allowed the attackers to bypass traditional email-based phishing methods and directly message users within the Teams chat environment.

Other details, such as the attack procedure after payloads are installed in the target desktop
As mentioned earlier, after installing the 1st payload (AntispamConnectUS.exe), the threat actor establishes a tunnel network with the compromised host that retrieves commands from a C2 server to deploy Cobalt Strike (2nd payload).

After deploying Cobalt Strike, the attackers initiate a series of strategic activities to further their malicious objectives. The beacons deployed by Cobalt Strike provide a persistent and encrypted communication channel with the attacker’s command and control (C2) server, allowing for remote management of the compromised systems. Utilizing these beacons, attackers engage in lateral movement across the network, systematically identifying and compromising critical systems.

Furthermore, they deploy additional tools and payloads to facilitate their movement and enhance their control over the network. The attackers meticulously harvest sensitive information and execute commands to maintain stealth and avoid detection. In the final stage, they prepare the ultimate payload, typically ransomware, such as Black Basta, to encrypt critical data and demand ransom payments for decryption and assurance that the stolen information will not be released.

RANSOMWARE NOTE

The ransomware generates multiple instances of a file, typically named ‘readme.txt’ or ‘instructions_read_me.txt’, depending on the variant, each containing the ransom note.

Sample Ransomware note

TOOLS USED BY BLACK BASTA RANSOMWARE

Tools commonly exploited by the Black Basta group include malware, adversary emulation frameworks, and legitimate tools:

BITSAdmin Qakbot
Mimikatz PowerShell
RClone ScreenConnect
Splashtop PSExec
WMI EvilProxy
Cobalt Strike SystemBC
SoftPerfect Backstab
WinSCP Netcat
Quick Assist NetSupport Manager

BLACK BASTA RANSOMWARE VICTIMS ACCORDING TO INDUSTRIES SINCE JANUARY 2024

MOST TARGETED GEOGRAPHIES BY BLACK BASTA IN 2024

MITRE FRAMEWORK

Tactic ID Technique
Initial Access T1566 Phishing
Initial Access T1566.004 Phishing: Spear-phishing Voice
Initial Access T1190 Exploit Public-Facing Application
Execution T1059.003 Command and Scripting Interpreter: Windows Command Shell
Execution T1059.001 Command and Scripting Interpreter: PowerShell
Discovery T1083 File and Directory Discovery
Execution T1204.002 User Execution: Malicious File
Execution T1047 Windows Management Instrumentation
Persistence T1543.003 Create or Modify System Process: Windows Service
Persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Privilege Escalation T1068 Exploitation for Privilege Escalation
Defense Evasion T1497 Virtualization/Sandbox Evasion
Defense Evasion T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Defense Evasion T1562.009 Impair Defenses: Safe Mode Boot
Defense Evasion T1036 Masquerading
Defense Evasion T1112 Modify Registry
Defense Evasion T1140 Deobfuscate/Decode Files or Information
Credential Access T1056.001 Input Capture: Keylogging
Credential Access T1003 OS Credential Dumping
Discovery T1033 System Owner/User Discovery
Lateral Movement T1570 Lateral Tool Transfer
Command and Control T1572 Protocol Tunneling
Exfiltration T1537 Transfer Data to Cloud Account
Impact T1490 Inhibit System Recovery
Impact T1486 Data Encrypted for Impact

YARA RULES

rule win_blackbasta_w0 {
hash_1 = “96339a7e87ffce6ced247feb9b4cb7c05b83ca315976a9522155bad726b8e5be”
hash_2 = “0d6c3de5aebbbe85939d7588150edf7b7bdc712fceb6a83d79e65b6f79bfc2ef”
date = “2022-07-21”
strings:
$s1 = “aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion” fullword ascii
$s2 = “Your data are stolen and encrypted” fullword ascii
$s3 = “The data will be published on TOR website if you do not pay the ransom” fullword ascii
$s4 = “Input is not valid base64-encoded data.” fullword ascii
$s5 = “(you should download and install TOR browser first https://torproject.org)” fullword ascii
$a1 = “_Z12EncryptBytesP8Chacha20PhS1_S1_i” fullword ascii
$a2 = “_Z21GetEncryptedNextBlockP8Chacha20PN3ghc10filesystem13basic_fstreamIcSt11char_traitsIcEEEPhS8_ixS8_” fullword ascii /* score: ‘17.00’*/
$a3 = “_ZNSt10_HashtableISsSt4pairIKSsPcESaIS3_ENSt8__detail10_Select1stESt8equal_toISsESt4hashISsENS5_18_Mod_range_hashingENS5_20_Default_ranged_hashENS5_20_Prime_rehash_policyENS5_17_Hashtable_traitsILb1ELb0ELb1EEEE21_M_insert_unique_nodeEmmPNS5_10_Hash_nodeIS3_Lb1EEE” fullword ascii
$a4 = “_ZNSt8__detail9_Map_baseISsSt4pairIKSsPcESaIS4_ENS_10_Select1stESt8equal_toISsESt4hashISsENS_18_Mod_range_hashingENS_20_Default_ranged_hashENS_20_Prime_rehash_policyENS_17_Hashtable_traitsILb1ELb0ELb1EEELb1EEixEOSs” fullword ascii
$a5 = “_ZN3ghc10filesystem4path28postprocess_path_with_formatENS1_6formatE” fullword ascii
$a6 = “C:/Users/dssd/Desktop/src” fullword ascii
$a7 = “totalBytesEncrypted” fullword ascii
condition:
filesize < 600KB and
(1 of ($s*) and 1 of ($a*) ) or (8 of them)
}

RECOMMENDATIONS

STRATEGIC RECOMMENDATIONS

  • Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
  • Ensure that backups of critical systems are maintained which can be used to restore data in case the need arises.

MANAGEMENT RECOMMENDATIONS

  • A data breach prevention plan must be developed considering, (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) if there is an obligation to notify the local authority.
  • Enable zero-trust architecture and multifactor authentication (MFA) to mitigate the compromise of credentials.
  • Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.

TACTICAL RECOMMENDATIONS

  • Update all applications/software regularly with the latest versions and security patches alike.
  • Add the Sigma rules for threat detection and monitoring which will help to detect anomalies in log events, and identify and monitor suspicious activities.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defense based on the tactical intelligence provided.

CONCLUSION

The tactics of Black Basta highlight the critical need for resilient cybersecurity measures. Their use of social engineering and multi-stage attacks demonstrates how adaptable ransomware threats have become. Organizations must invest in comprehensive security, regular employee training, and rapid response capabilities to counteract these advanced threats effectively.