Researchers Find Black Basta Using Qakbot & Adversary Emulation Tools For Spam Email Intrusions
Researchers Find Black Basta Using Qakbot & Adversary Emulation Tools For Spam Email Intrusions
Category: Threat Actor Activity | Industry: N/A | Level: Tactical | Source: Trend Micro
Researchers from Trend Micro have identified an intrusion attributed to Black Basta ransomware operators distributing Qakbot for initial access and delivering adversary emulation tools including both Brute Ratel and Cobalt Strike. The intrusion begins with a spam email containing a link to deliver a password-protected ZIP archive consisting of an ISO and LNK file. The threat actor’s technique in leveraging a password-protected archive and ISO file to bypass analysis from security solutions. The use of ISO files has increased this past year to circumvent “Mark of the Web (MOTW)” security measures, an increase in the use of LNK files has also been seen. The shortcut file's attribute is typically set as hidden taking advantage of default system settings not displaying hidden files. Both batch script and Javascript files are used to invoke Qakbot. Reconnaissance activity occurs at various times in the intrusion both manual and scripted activity. The first set of network discovery activities occurs six minutes after Qakbot communicates with the attacker's command and control (C&C). Qakbot will drop a Brute Ratel DLL file executed by rundll32. Reconnaissance activity occurs at various times in the intrusion and is initiated both from scripts and manual entry. The last stages of the intrusion involve a final round of reconnaissance with SharpHound collecting active directory data. The threat actors dropped Cobalt Strike to aid in lateral movement. The intrusion spanned under 45 minutes until Trend Micro ceased activity from the operators. Trend Micro assesses the intrusion to be linked to Black Basta based on the operator's tactics, techniques, and procedures (TTPs), "Based on our investigations, we can confirm that the QAKBOT-to-Brute Ratel-to-Cobalt Strike kill chain is associated with the group behind the Black Basta Ransomware. This is based on overlapping TTPs and infrastructure observed in Black Basta attacks."
Anvilogic Scenario:
- Black Basta: Qakbot, LOLBin, Recon & Data Collection in 1hr
Anvilogic Use Cases:
- Wscript/Cscript Execution
- Rare Remote Thread
- SharpHound Enumeration
.svg)
