Black Basta, known for its targeted attacks across multiple industries, emerged as a formidable ransomware group in 2022. Leveraging social engineering and advanced malware, the group systematically compromises networks, demanding ransoms under the threat of data exposure. Their evolving tactics highlight the urgent need for strong defenses and proactive cybersecurity strategies.
Black Basta, a prominent Ransomware-as-a-Service (RaaS) group, emerged in April 2022 and has rapidly gained notoriety for targeting various sectors, including construction, healthcare, manufacturing, finance, retail, and entertainment. Black Basta ransomware has compromised more than 500 organizations across the Globe. The group employs a range of tactics, including phishing, exploitation of vulnerabilities, and double extortion. Their operations involve meticulous reconnaissance, credential dumping, privilege escalation, and systematic exfiltration of sensitive information to maximize pressure on victims, compelling them to pay the ransom.
Details of payloads used by the Black Basta team in action, including the possibility of blocking the said payload via hash in NGAV or ED
Use of legitimate remote desktop access tool: Threat actor(s) send numerous spam emails to the target and then contact them on Microsoft Teams, posing as IT help desk support staff, with the aim of installing remote desktop software, such as AnyDesk or Quick Assist on the target system.
1st Payload Installation: Once connected to the victim over a remote desktop, the threat actor installs payload disguised as Anti-Spam software with names such as AntispamAccount.exe, AntispamUpdate.exe, and AntispamConnectUS.exe.
This payload is a proxy malware also known as SystemBC, which has been used by Black Basta in the past.
SystemBC is a type of Remote Access Trojan (RAT) first observed in the wild in 2018. It functions as a SOCKS5 proxy, creating a tunnel that retrieves proxy-related commands from a C2 server using a custom binary protocol over TCP. This allows threat actors to maintain persistent access to a compromised network.
Additionally, it can conceal communication with the Command and Control (C2) server and deliver other malware strains. SystemBC has been used by various threat actors in multiple campaigns, often in conjunction with other malware families, such as Rhysida, Black Basta, Cuba, Gootloader, Cobalt Strike, and Emotet.
To block the payloads used by the Black Basta group via hash in Next-Generation Antivirus (NGAV) or Endpoint Detection and Response (EDR) systems, you can follow these steps:
2nd Payload Installation: After installing the fake anti-spam program (AntispamConnectUS.exe), the threat actor leverages its capability to install the second payload which is Cobalt Strike.
The Black Basta group has been known to use Cobalt Strike as part of their attack toolkit. Once the communication is set up after launching AntispamConnectUS.exe on the victim’s PC, the threat actor deploys Cobalt Strike beacons to establish a foothold. These beacons allow them to move laterally within the network, execute commands, and deploy additional payloads.
Cobalt Strike allows them to navigate through the network, and identify and compromise critical systems, often using tools like Brute Ratel and QakBot for assistance. The beacons provide a persistent and encrypted communication channel with the attacker’s command and control (C2) server, ensuring remote control of the infected machines. Ultimately, after gaining control and identifying valuable data, Black Basta deploys their ransomware to encrypt files and demand a ransom for decryption and non-release of stolen data.
List of possible Entra ID tenants that are correlated or used to launch the social engineering attack
Cybercriminals are using a new trick where they first flood an employee’s email with spam. Then, instead of calling, they message the employee on Microsoft Teams, pretending to be from the IT help desk and offering to help with the spam issue.
They create fake accounts that look like real help desk addresses, such as:
How Microsoft Teams enable external communication:
Microsoft Teams allows users from outside of an organization to communicate with internal employees by creating external user accounts, often under specific names or profiles that can resemble legitimate helpdesk or IT support accounts. In recent incidents, attackers exploited this feature to pose as IT support, contacting employees directly on Teams. They created Entra ID tenant accounts designed to look like internal support, using names such as “supportadministrator” or “cybersecurityadmin” with display names including terms like “Help Desk” to seem authentic. This allowed the attackers to bypass traditional email-based phishing methods and directly message users within the Teams chat environment.
Other details, such as the attack procedure after payloads are installed in the target desktop
As mentioned earlier, after installing the 1st payload (AntispamConnectUS.exe), the threat actor establishes a tunnel network with the compromised host that retrieves commands from a C2 server to deploy Cobalt Strike (2nd payload).
After deploying Cobalt Strike, the attackers initiate a series of strategic activities to further their malicious objectives. The beacons deployed by Cobalt Strike provide a persistent and encrypted communication channel with the attacker’s command and control (C2) server, allowing for remote management of the compromised systems. Utilizing these beacons, attackers engage in lateral movement across the network, systematically identifying and compromising critical systems.
Furthermore, they deploy additional tools and payloads to facilitate their movement and enhance their control over the network. The attackers meticulously harvest sensitive information and execute commands to maintain stealth and avoid detection. In the final stage, they prepare the ultimate payload, typically ransomware, such as Black Basta, to encrypt critical data and demand ransom payments for decryption and assurance that the stolen information will not be released.
The ransomware generates multiple instances of a file, typically named ‘readme.txt’ or ‘instructions_read_me.txt’, depending on the variant, each containing the ransom note.
Tools commonly exploited by the Black Basta group include malware, adversary emulation frameworks, and legitimate tools:
BITSAdmin | Qakbot |
Mimikatz | PowerShell |
RClone | ScreenConnect |
Splashtop | PSExec |
WMI | EvilProxy |
Cobalt Strike | SystemBC |
SoftPerfect | Backstab |
WinSCP | Netcat |
Quick Assist | NetSupport Manager |
Tactic | ID | Technique |
Initial Access | T1566 | Phishing |
Initial Access | T1566.004 | Phishing: Spear-phishing Voice |
Initial Access | T1190 | Exploit Public-Facing Application |
Execution | T1059.003 | Command and Scripting Interpreter: Windows Command Shell |
Execution | T1059.001 | Command and Scripting Interpreter: PowerShell |
Discovery | T1083 | File and Directory Discovery |
Execution | T1204.002 | User Execution: Malicious File |
Execution | T1047 | Windows Management Instrumentation |
Persistence | T1543.003 | Create or Modify System Process: Windows Service |
Persistence | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Privilege Escalation | T1068 | Exploitation for Privilege Escalation |
Defense Evasion | T1497 | Virtualization/Sandbox Evasion |
Defense Evasion | T1222.001 | File and Directory Permissions Modification: Windows File and Directory Permissions Modification |
Defense Evasion | T1562.009 | Impair Defenses: Safe Mode Boot |
Defense Evasion | T1036 | Masquerading |
Defense Evasion | T1112 | Modify Registry |
Defense Evasion | T1140 | Deobfuscate/Decode Files or Information |
Credential Access | T1056.001 | Input Capture: Keylogging |
Credential Access | T1003 | OS Credential Dumping |
Discovery | T1033 | System Owner/User Discovery |
Lateral Movement | T1570 | Lateral Tool Transfer |
Command and Control | T1572 | Protocol Tunneling |
Exfiltration | T1537 | Transfer Data to Cloud Account |
Impact | T1490 | Inhibit System Recovery |
Impact | T1486 | Data Encrypted for Impact |
rule win_blackbasta_w0 {
hash_1 = “96339a7e87ffce6ced247feb9b4cb7c05b83ca315976a9522155bad726b8e5be”
hash_2 = “0d6c3de5aebbbe85939d7588150edf7b7bdc712fceb6a83d79e65b6f79bfc2ef”
date = “2022-07-21”
strings:
$s1 = “aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion” fullword ascii
$s2 = “Your data are stolen and encrypted” fullword ascii
$s3 = “The data will be published on TOR website if you do not pay the ransom” fullword ascii
$s4 = “Input is not valid base64-encoded data.” fullword ascii
$s5 = “(you should download and install TOR browser first https://torproject.org)” fullword ascii
$a1 = “_Z12EncryptBytesP8Chacha20PhS1_S1_i” fullword ascii
$a2 = “_Z21GetEncryptedNextBlockP8Chacha20PN3ghc10filesystem13basic_fstreamIcSt11char_traitsIcEEEPhS8_ixS8_” fullword ascii /* score: ‘17.00’*/
$a3 = “_ZNSt10_HashtableISsSt4pairIKSsPcESaIS3_ENSt8__detail10_Select1stESt8equal_toISsESt4hashISsENS5_18_Mod_range_hashingENS5_20_Default_ranged_hashENS5_20_Prime_rehash_policyENS5_17_Hashtable_traitsILb1ELb0ELb1EEEE21_M_insert_unique_nodeEmmPNS5_10_Hash_nodeIS3_Lb1EEE” fullword ascii
$a4 = “_ZNSt8__detail9_Map_baseISsSt4pairIKSsPcESaIS4_ENS_10_Select1stESt8equal_toISsESt4hashISsENS_18_Mod_range_hashingENS_20_Default_ranged_hashENS_20_Prime_rehash_policyENS_17_Hashtable_traitsILb1ELb0ELb1EEELb1EEixEOSs” fullword ascii
$a5 = “_ZN3ghc10filesystem4path28postprocess_path_with_formatENS1_6formatE” fullword ascii
$a6 = “C:/Users/dssd/Desktop/src” fullword ascii
$a7 = “totalBytesEncrypted” fullword ascii
condition:
filesize < 600KB and
(1 of ($s*) and 1 of ($a*) ) or (8 of them)
}
STRATEGIC RECOMMENDATIONS
MANAGEMENT RECOMMENDATIONS
TACTICAL RECOMMENDATIONS
The tactics of Black Basta highlight the critical need for resilient cybersecurity measures. Their use of social engineering and multi-stage attacks demonstrates how adaptable ransomware threats have become. Organizations must invest in comprehensive security, regular employee training, and rapid response capabilities to counteract these advanced threats effectively.