The Forge team offers detections for a Qakbot intrusion using the Follina exploit with ties to the Black Basta ransomware group.
An Intersection Where Threats Mingle
Insights into threat actor activity can be exciting, as our journey in blue team defense unravels mysteries of what makes our manager’s stress levels rise. Crucial areas of security threat management are often malware, ransomware groups, and vulnerabilities. The Forge team’s research of active trending threats noticed an increase in Qakbot malware activity, coinciding with reports of Black Basta campaigns utilizing Qakbot malware. Black Basta is a new(ish) player in the cyber threat landscape and has demonstrated their proficiency with unfortunate breakout success. As the group makes its presence known, traces emerge from their campaigns to gain an insight into its tactics, techniques, and procedures (TTPs). Whilst Qakbot is one connection, the exploitation of Microsoft’s Diagnostic Tool (MSDT) vulnerability, CVE-2022-30190 (dubbed Follina), has also been associated with Black Basta intrusions to establish their initial foothold. From understanding these TTPs, we can strengthen our organization's security posture by developing analytics to pinpoint malicious activity and study the attacker’s attack path during post-exploitation.
#1: A Heavy Hitting Ransomware Group
Before forging the detections, let's get familiar with the elements of the attack. The Black Basta ransomware group established itself as a premier cyber threat. Since emerging in April 2022, their victim count has already exceeded 90 organizations by September 2022. Therefore it is important to maintain vigilance on their activity and incorporate our collected intelligence on the group to ensure defenses are up-to-date against the rising threat. Black Basta operators target a wide variety of organizations globally. However, the ransomware group has a keen interest in organizations in the United States.
This prolific group doesn’t advertise for new recruits nor do they operate under the ransomware-as-a-service (RaaS) model. Revealed in SentinelOne’s research, despite being a well-resourced group, a curious overlap in tooling was discovered in the group’s use of custom EDR evasion tools authored by FIN7 developers along with malware packaging similarities. This insight reveals the experience Black Basta operators possess and a glimpse of the ransomware ecosystem of cyber criminals. Black Basta operators are observed to be fast-paced threat actors. Cybereason researchers noted the operators achieve domain access within two hours and deploy ransomware within 12 hours.
#2: Qakbot: The Malware of Choice
The threat of Qakbot/Qbot has existed since 2007 and continues to evolve from its days as a simple banking trojan. Due to its modular nature, threat actors can easily customize the malware to suit the needs of their campaign, such as: executing reconnaissance and lateral movement as well as collecting and exfiltrating data. Microsoft fittingly describes Qakbot’s applicability as “building blocks,” and it's no wonder, given how the malware has flourished for so long and still thrives today. From Red Canary’s telemetry, Qakbot is a consistent visitor of their monthly Intelligence Insights, recently reigning in consecutive first-place rankings for September and October 2022.
#3: The Vulnerability
Microsoft’s Diagnostic Tool (MSDT), CVE-2022-30190 (Follina) vulnerability disclosed in May 2022, can be exploited to allow for remote code execution (RCE) attacks. Using a weaponized Microsoft document, a web link can be triggered to lead to an attacker’s controlled resource with Microsoft Support Diagnostic Tool (msdt.exe) used to execute commands crafted by the attacker. Although the vulnerability was disclosed on May 27th, 2022, the first observed exploitation of Follina was identified on April 7th, 2022 and of course, it's highly possible that threat actors may have exploited Follina even prior to discovery.
#4: The Attack
Having covered the main threats, we’ll connect them together through documented intrusions. Recently, Black Basta operators are reported to utilize Qakbot malware in their campaigns, as identified by security researchers from Cybereason and Trend Micro. Their initial access vector often utilizes a phishing email containing a malicious payload for Qbot either as a Microsoft document or image files (ISO/IMG) when needing to bypass Microsoft’s Mark of The Web security control. In the instance of a weaponized Microsoft document, SentinelOne researchers have tracked Black Basta operators to leverage the Follina vulnerability to initiate their attack chain.
An intrusion shared by The DFIR Report, titled “Follina Exploit Leads to Domain Compromise,” documents an intrusion taking place in June 2022, spanning a little over 16 hours. Black Basta’s influence is identified in this attack given the components of a fast-hitting threat operator, using the Qakbot malware, the Follina exploit, and other TTPs such as esentutl.exe for credential access and lateral movement with RDP. Using the shared research, we will step through the attack breaking down the analytics involved, to understand the attack path and chain the sequence together for our threat scenario analytic.
Using MITRE’s attack flow builder, the attack elements can also be visualized with our version of the documented DFIR Report events.
Forge Detection Insight: 14:54 UTC - Follina Exploitation & Encoded PowerShell
T1204.002: User Execution: Malicious File
A weaponized document with the Follina exploit kicks off the infection chain. Our recommended threat analytic targets process creation events pertaining to the msdt executable along with the requisite terms associated with the abuse of this process.
T1059.001: Command and Scripting Interpreter: PowerShell & T1027: Obfuscated Files or Information
With the exploit of Follina, the threat actor’s PowerShell script is executed with msdt.exe. In this instance, an encoded invoke-expression (IEX) command was issued in order to download the Qakbot DLL files. To cover an encoded PowerShell analytic we have two options, the first recommended approach is to take advantage of PowerShell logs. This data source supplies a wealth of useful information for defenders to gain greater endpoint visibility. PowerShell event code 4104 provides script block logging to observe the deobfuscated script and/or event code 4103 can catch command invocations with module logging. We’ll capture commands issued with encoded flags and a bit of regular expression to help format our results.
If PowerShell logging isn’t available, Windows events logs are suitable for the task although not as robust as PowerShell logs. Process creation events for event code 4688, PowerShell and relevant flags used for encoded PowerShell commands can be used for an analytic. Encoded commands have the potential to be noisy analytics, therefore a tuning recommendation we advise is to observe the PowerShell command’s path or calculate how many times the command has been observed.
Forge Detection Insight: 14:55 UTC: Regsvr32 & Process Injection
T1218.010: System Binary Proxy Execution: Regsvr32
With the Qakbot DLLs downloaded with PowerShell, they could be executed using living-of-the-land binary (LOLBin): regsvr32. Using the Windows event log data source, we can monitor for process creations specifying regsvr32 and using regular expression, catching its call in the command line.
T1055 Defense Evasion: Process Injection
Following Qakbot’s execution, it’ll initiate process injection into a legitimate system process, in this instance, it injected itself into explorer.exe. To alert on process injection, Sysmon event code 8 can detect “CreateRemoteThread” events.
Forge Detection Insight: 15:02 - 15:11 UTC: Reconnaissance Commands
T1033: System Owner/User Discovery & T1049: System Network Connections Discovery
To profile the affected system, system owner and network connection commands are issued from native Windows services. These common reconnaissance terms tracked in process creation events can alert on when they’re being used.
Forge Detection Insight: 15:09 UTC: Cobalt Strike Process Injection & C2
T1055 Defense Evasion: Process Injection & T1071 Command and Control: Application Layer Protocol
Our process injection analytic with Sysmon using event ID 8 is applicable in this situation as well. However, we can also add an analytic specifically for Cobalt Strike centered on default named-pipe configurations which are often left unchanged by threat actors. Using the Sysmon data source once more, we can leverage event id 17 for “Pipe created” and event id 18 for “Pipe connected” to create our Cobalt Strike analytic.
Forge Detection Insight: 16:09 UTC: Credential Access
T1003.002: OS Credential Dumping: Security Account Manager
The first signs of credential access activity came more than an hour after initial access using Windows database utility for Windows Extensible Storage Engine: esentutl.exe. This native command-line tool was leveraged to extract browser data. A process creation analytic with Windows event logs captures the execution of esentutl and/or its execution with switches for recovery (/r) a sign of potential misuse and credential access.
Forge Detection Insight: 16:10 UTC: Persistence is Established
T1053: Scheduled Task/Job
Our scheduled task analytic offers a straightforward approach, identifying process creation events with the scheduled task process in which a change or modification was made. However, if enabled in your organization, Windows event logs audit scheduled task events with greater granularity, accounting for its creation (4698), when a task is enabled (4700) and when a task has been updated (4702). Thus a variety of analytics can be used to support the alerting of scheduled task activity, a highly prominent persistence activity.
Forge Detection Insight: 16:23 UTC: Qbot Moves Laterally from C$ Admin Share
T1021.002: Remote Services: SMB/Windows Admin Shares & T1543.003: Create or Modify System Process: Windows Service
With an established persistence mechanism, the threat actors pivoted to lateral movement. Through a new service, the operators created remote Qbot DLL files on the admin C$ drive. Our Windows service creation analytic uses our reliable process creation event code and the usage of the service control (sc) executable and the instantiation of the “create” term. The second portion of the activity for access of Windows admin share C$ can be supported with Windows event code 5140 to track the access of a network share object or event code 5156, for when the Windows Filtering Platform (WFP) enables a connection.
Windows Service Created
Windows C$ Share Access
Forge Detection Insight: 16:24 UTC: Tampering with Windows Defender
T1562.001: Impair Defenses: Disable or Modify Tools
In order to evade defenses, the operator impaired Windows Defender by adding exclusions to various folders needed for their operation. The modifications were made through registry changes with reg.exe, adding folders to the Windows Defender exclusion path registry key located under the Software registry hive. Monitoring of this activity is straightforward with event code 4688 and the requisite command-line arguments for reg.exe and Windows Defender’s registry exclusion folders.
Forge Detection Insight: 16:55 - 16:57 UTC: Additional Round of Reconnaissance
T1033: System Owner/User Discovery & T1049: System Network Connections Discovery
Another round of reconnaissance was initiated by the threat actors, using Cobalt Strike to enumerate the environment for accounts and network connection configurations. We can reuse a previous analytic from the first round of reconnaissance with the common reconnaissance command analytic as well as use a recon analytic specific for terms and processes associated with Active Directory.
Detection for common reconnaissance commands
Detection for common active directory commands
Forge Detection Insight: 17:03 UTC: LSASS Credential Dump
T1003.001 Credential Access: OS Credential Dumping: LSASS Memory
Adversaries from the intrusion target the Local Security Authority Subsystem Service (LSASS) to access credentials from Cobalt Strike. We can monitor for handle calls made to LSASS that can be indicative of malicious credential access activity.
Forge Detection Insight: 17:15 UTC: Drop & Install Remote Access Software
T1219 Command and Control: Remote Access Software
Following access to the LSASS process, the threat actors prepared to move laterally in the victim’s environment starting with the install of remote access software, NetSupport. Our remote access software execution analytic looks for process creation events of many popular remote access tools. This can be a high-value alert for an organization with software restrictions and thus, can be particularly concerning for an organization with remote access software, not in their approved software library.
Forge Detection Insight: 17:35 UTC - 17:42 UTC: RDP to Domain Controller
T1021.001: Remote Services: Remote Desktop Protocol
The threat actors laterally moved through the environment using the remote desktop protocol (RDP). Our detection uses Windows event code, 5156 to identify connections allowed by the Windows Filtering Platform along with specifying RDP in the event or usage of the common 3389 RDP port.
T1218.007: System Binary Proxy Execution: Msiexec
Operators in the attack initiated the installation of remote monitoring and management software, Atera RMM. The native Windows binary (msiexec) was used to facilitate the installation. While msiexec has a lot of legitimate uses, the use of a remote access system can be particularly concerning. From the Sysmon data source, the equivalent process creation event code is “1.” We can use the ID to alert when msiexec is used to install a msi file.
Putting the Pieces Together
Activity continued onto the second day with port scanning and more lateral movement using RDP, leading to the adversaries discovering staged files on DFIR’s file server. However, we’ve covered a large portion of the attack, gaining an understanding of the immediate actions taken by the threat actor during the post-exploitation stage. Using what we’ve investigated, we can create a threat scenario to alert the chain of activity taking place in the intrusion. The research and sequence together produce a high-confidence detection analytic, covering various facets of the campaign.
The developed threat scenario doesn’t follow a completely linear path rather we give ourselves some leadway to accommodate for variances in attacks. For instance: the monitoring of malicious document and scripting interpreters followed by LOLBin regsvr32, credential access with esentutl.exe, or RDP all within a combined 4.5-hour timeframe is a valuable analytic vs. separate analytics only used to identify segments of the larger attack. The underlying goal is to monitor for activity, which is critical for threat actors to complete their actions on the objective.
Conclusion: We got you
Understanding these attack paths elevates detection strategies to focus on threat actor behaviors and TTPs. Tracking these threat behaviors is vital to overcoming the hurdles of stagnant and noisy analytics. The Anvilogic Forge team has always worked to discover and create threat detection analytics to aid our customers and the security community. Our Armory comprises over 1,000 threat analytics created from studying threat behaviors.
About the Forge Author
Kevin Lo is a threat researcher for the Anvilogic Forge team, where he is responsible for threat research and intelligence.
Prior to Anvilogic, Kevin was a cybersecurity analyst at a US financial institution serving roles in digital forensics, cybersecurity operations, and detection engineering. Kevin currently resides in Albany, NY. He holds a Bachelor's degree from Syracuse University in Information Management & Technology with a concentration in Information Security. Kevin holds several cybersecurity certifications with GIAC and MITRE ATT&CK.
Happy to connect with you on LinkedIn!
- Blackberry: The Follina Vulnerability: A Guide: https://www.blackberry.com/us/en/solutions/endpoint-security/security-vulnerabilities/follina-vulnerability
- The DFIR Report: Follina Exploit Leads to Domain Compromise: https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/
- Microsoft: A closer look at Qakbot’s latest building blocks (and how to knock them down): https://www.microsoft.com/en-us/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/
- Red Canary: Intelligence Insight: https://redcanary.com/blog/intelligence-insights-november-2022/
- SentinelLabs: Black Basta Ransomware | Attacks Deploy Custom EDR Evasion Tools Tied to FIN7 Threat Actor: https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/
- Trend Micro: Black Basta Ransomware Operators Expand Their Attack Arsenal With QakBot Trojan and PrintNightmare Exploit: https://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html