FOCUS MODE
EXTRACT IOC
Threat Research

Black Basta’s Dependency Confusion Ambitions and Ransomware in Open Source Ecosystems

admin
Black Basta’s Dependency Confusion Ambitions and Ransomware in Open Source Ecosystems
Recent leaks from Black Basta’s internal chat logs highlight the gang’s strategy to leverage open source ecosystems, specifically npm and PyPI, to execute dependency confusion attacks. This research uncovers the threat posed by ransomware attacks and extortionware within these ecosystems, along with examples of historical attacks. Affected: Black Basta, npm, PyPI, software supply chain, open source ecosystems

Keypoints :

  • Black Basta’s internal chat logs reveal plans to exploit open source package registries.
  • The gang is exploring dependency confusion to infiltrate systems through malicious packages.
  • Instances of other threat actors successfully deploying ransomware through package managers were identified.
  • Three empirical cases of supply chain attacks demonstrate the spectrum of ransomware behavior.
  • Malicious npm packages have been detected that exhibit behaviors consistent with ransomware and extortionware.
  • Organizations must enhance their supply chain security practices to protect against these evolving threats.

MITRE Techniques :

  • T1195.002 – Supply Chain Compromise: Compromise Software Supply Chain – Black Basta aimed to compromise software supply chains through dependency confusion.
  • T1608.001 – Stage Capabilities: Upload Malware – The gang planned to upload malicious packages to npm and PyPI.
  • T1204.002 – User Execution: Malicious File – Exploitation relies on users unknowingly executing the malicious code.
  • T1059.007 – Command and Scripting Interpreter: JavaScript – Malicious code is written in JavaScript for execution in environments using npm.
  • T1546.016 – Event Triggered Execution: Installer Packages – Attackers leverage installation events in CI/CD pipelines.
  • T1595 – Active Scanning – Black Basta examined their environment to determine vulnerabilities.
  • T1005 – Data from Local System – Malicious scripts search and manipulate files on local systems.
  • T1082 – System Information Discovery – The malware collects relevant data about the environment.
  • T1041 – Exfiltration Over C2 Channel – Stolen data is transmitted to the attackers’ servers.
  • T1571 – Non-Standard Port – Data exfiltration occurs over non-standard ports to evade detection.
  • T1105 – Ingress Tool Transfer – Malicious tools or scripts are introduced into the target system.
  • T1119 – Automated Collection – The malware automates data collection from compromised systems.
  • T1486 – Data Encrypted for Impact – Files on infected systems are encrypted, leading to loss of access.
  • T1657 – Financial Theft – Threat actors aim to leverage stolen data for financial gain.

Indicator of Compromise :

  • [Malicious Package] socket.oi
  • [Malicious Package] ttp-error
  • [Malicious Package] http-wrror
  • [Malicious Package] underscoer
  • [Malicious Package] setan
  • [Malicious Package] preview-api (version 213.21.24)
  • [Malicious Package] lang-json (version 213.21.24)
  • [Malicious Package] android-arm64 (version 213.21.24)
  • [C2 Endpoint] hxxp://dasdv.free.beeceptor[.]com/spc4kzs
  • [C2 Endpoint] hxxp://dgfgr.free.beeceptor[.]com/g3yz0a54x.txt
  • [C2 Endpoint] hxxp://exzuperi.ftp[.]sh:449

Full Story: https://socket.dev/blog/black-basta-dependency-confusion-ambitions-and-ransomware-in-open-source-ecosystems

Tags: CRYPTO, EXPLOIT, DISCOVERY, IMPACT, EXFILTRATION, UNIX, COLLECTION, TOOL