Summary: Rapid7 researchers have identified a new social engineering campaign that distributes the SystemBC dropper as part of the Black Basta ransomware operation. The campaign employs tactics such as email bombing and fake IT support calls to deceive users into installing malicious software.
Threat Actor: Black Basta | Black Basta
Victim: Various organizations | Various organizations
Key Point :
- The attack begins with email bombings followed by calls via Microsoft Teams, tricking users into installing AnyDesk for remote access.
- Attackers deploy AntiSpam.exe to harvest credentials, masquerading as a spam filter updater.
- Payloads include SystemBC malware and exploit tools targeting CVE-2022-26923 for privilege escalation.
- Recommendations include blocking unauthorized RMM solutions and educating users on identifying social engineering attempts.
- Indicators of Compromise for this campaign are provided in the report for further analysis.
Rapid7 researchers uncovered a new social engineering campaign distributing the SystemBC dropper to the Black Basta ransomware operation.
On June 20, 2024, Rapid7 researchers detected multiple attacks consistent with an ongoing social engineering campaign being tracked by Rapid7. Experts noticed an important shift in the tools used by the threat actors during the recent incidents.
The attack chain begins in the same way, threat actors send an email bomb and then attempt to call the targeted users, often via Microsoft Teams, to offer a fake solution. They trick users into installing AnyDesk, allowing remote control of their computers.
During the attack, the attackers deploy a credential harvesting tool called AntiSpam.exe, which pretends to be a spam filter updater. This tool prompts users to enter their credentials, which are then saved or logged for later use.
The attackers used various payloads named to align with their initial lure, including SystemBC malware, Golang HTTP beacons, and Socks proxy beacons.
The researchers noticed the use of an executable named update6.exe
designed to exploit the vulnerability CVE-2022-26923 for privilege escalation, and reverse SSH tunnels and the Level Remote Monitoring and Management (RMM) tool are used for lateral movement and maintaining access.
“When executed, update6.exe
will attempt to exploit CVE-2022-26923 to add a machine account if the domain controller used within the environment is vulnerable.” reads the report published by Rapid7. “The debugging symbols database path has been left intact and indicates this: C:UserslfkmfsourcereposAddMachineAccountx64ReleaseAddMachineAccount.pdb
. The original source code was likely copied from the publicly available Cobalt Strike module created by Outflank.”
The SystemBC payload in update8.exe
is dynamically retrieved from an encrypted resource and directly injected into a child process with the same name. The original SystemBC file is encrypted with an XOR key, and this key is exposed due to the encryption of padding null bytes between PE sections.
The researchers recommend mitigating the threat by blocking all unapproved remote monitoring and management solutions. AppLocker or Microsoft Defender Application Control can block all unapproved RMM solutions from executing within the environment.
Rapid7 also suggests of:
- educating users about IT communication channels to spot and avoid social engineering attacks.
- encouraging users to report suspicious calls and texts claiming to be from IT staff.
- keeping software updated to protect against known vulnerabilities, including applying the patch for CVE-2022-26923 to prevent privilege escalation on vulnerable domain controllers.
The report also includes Indicators of Compromise for this campaign.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, APT)
Source: https://securityaffairs.com/167079/cyber-crime/black-basta-ransomware-systembc-campaign.html