Focus Mode
Threat Research

Black Basta’s Tactical Evolution: Deploying Zbot, DarkGate, and Bespoke Malware – SOCRadar® Cyber Intelligence Inc.

Securonix
Black Basta’s Tactical Evolution: Deploying Zbot, DarkGate, and Bespoke Malware – SOCRadar® Cyber Intelligence Inc.
Black Basta is a sophisticated ransomware group that employs advanced social engineering and malware tactics to breach organizational defenses. Their recent operations involve phishing, impersonation, and exploitation of remote access tools, impacting various sectors globally. Affected: healthcare, finance, manufacturing, energy, national security

Keypoints :

  • Black Basta utilizes phishing emails to create a smokescreen for attacks.
  • Operators impersonate IT support via Microsoft Teams to gain trust.
  • Remote access tools like AnyDesk and TeamViewer are used to install malware.
  • Zbot and DarkGate are key malware components in their arsenal.
  • Advanced evasion techniques include obfuscated payloads and QR code exploitation.
  • The group’s activities span multiple sectors and pose a universal threat.
  • Organizations must adopt multi-layered security strategies to mitigate risks.

MITRE Techniques :

  • Bypass User Account Control (T1548.002): Enforce strict privilege management policies and restrict unauthorized elevation using application whitelisting.
  • Parent PID Spoofing (T1134.004): Monitor anomalous parent-child process relationships and use endpoint detection tools to flag suspicious behavior.
  • Account Manipulation (T1098.007): Regularly audit user/group memberships and alert on unauthorized modifications to accounts or privileges.
  • Registry Run Keys (T1547.001): Monitor changes in registry and startup folders and lock down critical registry paths to prevent unauthorized edits.
  • Phishing Attachments (T1566.001): Implement robust email filtering and attachment scanning and train employees on recognizing phishing attempts.
  • DNS Abuse (T1071.004): Monitor DNS traffic for irregularities and block malicious domains.
  • Credential Harvesting (T1555): Use password managers and enforce strong password policies.
  • Clipboard Data (T1115): Encrypt sensitive data during processing and monitor clipboard activity for anomalies.
  • Process Hollowing (T1055.012): Monitor memory and API calls for unusual activity and use EDR solutions to detect injected processes.
  • Keylogging (T1056.001): Deploy anti-keylogging tools and monitor for suspicious keyboard activity.

Indicator of Compromise :

  • [IP Address] 172.81.60.122
  • [IP Address] 179.60.149.194
  • [IP Address] 185.130.47.96
  • [IP Address] 188.130.206.243
  • [IP Address] 65.87.7.151
  • Check the article for all found IoCs.

Full Research: https://socradar.io/black-basta-deploying-zbot-darkgate-bespoke-malware/

Tags: CREDENTIAL, MONITOR, HEALTHCARE, DEFENSE EVASION, PHISHING, SPOOFING, EXFILTRATION, SOCIAL ENGINEERING