Black Basta Initiates Intrusion, Featuring Qakbot to Exploit PrintNightmare Vulnerability

Industry: N/A | Level: Tactical | Source: Trend Micro

Trend Micro's tracking of the Black Basta ransomware group since April 2022, investigated an intrusion the group initiated, featuring the deployment of Qakbot through a malicious Excel document. The initial access was to exploit the PrintNightmare/CVE-2021-1675 vulnerability. The infection chain starts with Qakbot DLLs being executed with regsvr32.exe, conducting process injection into explorer.exe, and creating persistence with a scheduled task. Qakbot will download additional malicious payloads such as the use of a fileless PowerShell script to execute Cobeacon. The attackers had abused the PrintNightmare vulnerability, "Black Basta abused the Windows Print Spooler Service or spoolsv.exe to drop its payload, spider.dll, and perform privileged file operations. It also exploited the vulnerability to execute another file in the affected system." Additional backdoors such as Coroxy backdoor, and networking utility Netcat are used to help facilitate lateral movement, prior to ransomware deployment.

Anvilogic Scenario:

• Black Basta - Infection with Qakbot

Anvilogic Use Cases:

• Malicious Document Execution
• regsvr32 Execution
• Additional dll added to Spool Driver