Black Basta Initiate Aggressive Qakbot Campaigns

Category: Ransomware News | Industry: Global | Level: Tactical | Source: Cybereason

The prolific Black Basta ransomware group emerged in April 2022, establishing itself as a premier cybercrime group. Their victim counts continue to grow, as they target organizations in Canada, the United Kingdom, Australia, New Zealand, and especially the United States. Cybereason's Global SOC (GSOC) team has documented several campaigns initiated by the group, as they often initiate their campaigns through the deployment of Qakbot malware in spearphishing emails. The malware establishes the initial foothold needed for Black Basta operators to deploy additional malware and move laterally to ultimately deploy their ransomware. Black Basta operators are identified as being fast paced, "threat actor obtained domain administrator privileges in less than two hours and moved to ransomware deployment in less than 12 hours." The latest campaign observed by Cybereason began on November 14th, 2022, involving a widespread attack with over 10 US entities being targeted. To make use of their visual basic script (VBS), the threat actors have abused vulnerabilities against Microsoft's Mark of The Web (MOTW) security feature, to enable the execution of their malicious script file setting off the Qakbot infection process. During Qakbot's infection, regsvr32 is used to run malicious DLLs for Qakbot and Cobalt Strike, injecting themselves into Windows processes. These setups the stage for post-exploitation activity including system reconnaissance, credential access with Rubeus and esentutl, and lateral movement using Cobalt Strike and Windows Management Instrumentation (WMI). Prior to ransomware deployment, BAT scripts are used to disable Windows defenses and inhibit system recovery by deleting shadow copies.

Anvilogic Scenario:

• Black Basta - Infection with Qakbot

Anvilogic Use Cases:

• Wscript/Cscript Execution
• Esentutl Execution
• WMI subscription execution

‍