[Cyware] Researchers Study Evolution of Ransomware Gang UNC4393’s Campaigns After QAKBOT Takedown

Summary: The threat actor group UNC4393, known for deploying BASTA ransomware, has evolved its tactics since mid-2022, adapting to changes in the cyber threat landscape. Researchers have identified over 40 intrusions across various industries and noted a shift towards custom malware and diverse access methods following the takedown of the QAKBOT botnet.

Threat Actor: UNC4393 | UNC4393
Victim: Various Industries | Various Industries

Key Point :

  • UNC4393 has transitioned from using QAKBOT infections to custom-deployed malware for initial access.
  • The group has shown a rapid operational tempo, completing data exfiltration and ransomware encryption in an average of 42 hours.
  • Recent breaches in the healthcare sector indicate a potential expansion of UNC4393’s targeting interests.
  • They employ a variety of tools, including BASTA ransomware and SYSTEMBC tunneler, to execute their campaigns.
  • Despite a decline in listed victims on their dark leak site, the group remains a significant threat due to its diversified operations and partnerships.

The threat actor group UNC4393, known for deploying BASTA ransomware, has undergone continuous changes in its tactics since mid-2022. Researchers have tracked over 40 UNC4393 intrusions across 20 industries and about 500 victims on its data leak site to study the group’s operations and changes.

While the group initially relied on the QAKBOT botnet infection for access, the UNC4393 group adapted its methods following the internal crackdown on the QAKBOT network. The group has now switched to using custom-deployed malware and diverse initial access techniques.

UNC4393 Attribution, Targeting and Malware

UNC4393 is a financially motivated threat cluster, and the primary user of the BASTA ransomware. The group has primarily made use of initial access gained via UNC2633 and UNC2500 QAKBOT botnet infections to deploy BASTA ransomware in its campaigns.

Ransomware Gang UNC439 BASTA
Source: cloud.google.com

Now researchers from Mandiant in a new study suspect BASTA operators maintain a private or small closed-invitation affiliate model, whereby only trusted third-party actors are provided with access to the BASTA encryptor.

The group has claimed hundreds of victims on its dark leak site within short intervals of time, proving its quick reconnaissance, data exfiltration and ransomware encryption objectives within a median time of approximately 42 hours. UNC4393 has transitioned from readily available tools to custom malware development. Their arsenal includes:

  • BASTA: A C++ ransomware that encrypts files using ChaCha20 or XChaCha20.
  • SYSTEMBC: A tunneler that retrieves proxy-related commands from a command-and-control server.
  • KNOTWRAP: A memory-only dropper that executes additional payloads.
  • DAWNCRY: A dropper that decrypts embedded resources, including DAVESHELL and PORTYARD.
  • PORTYARD: A tunneler establishing connections to command-and-control servers.

Researchers note that while the group traditionally avoided attacks on healthcare institutions, recent breaches of the sector may suggest an expansion of attack interests.

Shifting Access Methods and Partnerships

Following the QAKBOT infrastructure takedown, UNC4393 diversified its initial access methods:

  • DARKGATE: Briefly used for access via phishing campaigns.
  • SILENTNIGHT: A C/C++ backdoor delivered through malvertising, marking a shift from phishing-only tactics.

For internal reconnaissance, the group employs open-source tools like BLOODHOUND and ADFIND, along with custom tools such as COGSCAN, a .NET-based reconnaissance assembly.

After gaining access, UNC4393 combines living-off-the-land techniques with custom malware. They frequently use DNS BEACON with unique domain-naming conventions for establishing and maintaining footholds in target environments. UNC4393 has demonstrated willingness to cooperate with multiple distribution clusters and affiliates to achieve its goals.

Ransomware 799 Gang UNC4393 BASTA
Recent decline of listed victims on dark leak site (Source: cloud.google.com)

The group has shown a keen willingness to diversify and optimize its operations, through its change in the kind of malware deployed to various strategic partnerships with initial access brokers. However, the researchers note that while the group’s dark leak site has been among the most active in the ones they track, the number of victims that had been claimed on the site had declined over recent months, and conclude that with less than a week remaining in the month, any significant change to this decline is unlikely.

The researchers still stress the group’s quick operational tempo and multi-faceted extortion techniques as a challenge for defenders, and a list of potential indicators of compromise (IOCs) has been uploaded to VirusTotal to help organizations mitigate against the threat.

Source: https://thecyberexpress.com/researchers-ransomware-gang-unc4393s