Summary:
Rapid7 has reported a resurgence in social engineering attacks by Black Basta ransomware operators, utilizing refined tactics and malware payloads. The campaign involves overwhelming target users with emails, followed by impersonation attempts via Microsoft Teams, leading to the installation of remote management tools and credential harvesting. The threat actors have also updated their malware delivery methods, enhancing their evasion techniques.
#BlackBasta #Ransomware #SocialEngineering
Rapid7 has reported a resurgence in social engineering attacks by Black Basta ransomware operators, utilizing refined tactics and malware payloads. The campaign involves overwhelming target users with emails, followed by impersonation attempts via Microsoft Teams, leading to the installation of remote management tools and credential harvesting. The threat actors have also updated their malware delivery methods, enhancing their evasion techniques.
#BlackBasta #Ransomware #SocialEngineering
Keypoints:
Black Basta ransomware operators have refined their social engineering tactics since their initial discovery.
Attacks begin with email bombardment, followed by impersonation via Microsoft Teams.
Threat actors often pose as IT staff to gain user trust and access.
Common remote management tools used include QuickAssist, AnyDesk, and TeamViewer.
Operators attempt to bypass MFA using QR codes and credential harvesting tools.
Malware payloads include Zbot and DarkGate, with sophisticated evasion techniques.
Rapid7 observed the use of a custom credential harvester, now delivered as a DLL.
Operators are actively developing new malware and updating their strategies.
Mitigation strategies include restricting external access and user awareness training.
MITRE Techniques
Resource Development (T1587.001): Actively developing new malware to distribute.
Impact (T1498): Overwhelming email protection solutions with spam.
Initial Access (T1566.004): Using voice phishing to gain remote access.
Defense Evasion (T1140): Encrypting zip archive payloads with passwords.
Defense Evasion (T1055.002): Utilizing local PE injection for payload execution.
Defense Evasion (T1620): Loading and executing shellcode for payloads.
Credential Access (T1649): Distributing signed malware payloads.
Credential Access (T1056.001): Harvesting user credentials through keylogging.
Credential Access (T1558.003): Performing Kerberoasting after gaining access.
Discovery (T1033): Enumerating asset and user information post-access.
Command and Control (T1572): Attempting SSH reverse tunnels for communication.
Command and Control (T1219): Using remote access software for facilitating access.
IoC:
[file name] SafeStore.dll
[file hash] SHA256: 3B7E06F1CCAA207DC331AFD6F91E284FEC4B826C3C427DFFD0432FDC48D55176
[file name] SyncSuite.exe
[file hash] SHA256: DB34E255AA4D9F4E54461571469B9DD53E49FEED3D238B6CFB49082DE0AFB1E4
[file name] SafeFilter.exe
[file hash] SHA256: EF28A572CDA7319047FBC918D60F71C124A038CD18A02000C7AB413677C5C161
[ip address] 179.60.149.194
Full Research: https://blog.rapid7.com/2024/12/04/black-basta-ransomware-campaign-drops-zbot-darkgate-and-custom-malware/