Black Basta ransomware group has been reportedly spotted using QakBot malware to create a entry and move laterally within organizations’ networks.
QakBot, traditionally a banking trojan primarily used to steal victims’ financial data, including browser information, keystrokes, and credentials. Once successfully infected an environment, the malware installs a backdoor allowing the threat actor to drop additional malware– in this kind, a ransomware.
In this campaign, threat actors obtained domain administrator access in less than two hours and then moved to ransomware deployment in less than 12 hours.
In recent past, researchers observed more than ten different customers affected by this recent campaign. Among them, two allegedly allowed the threat actor to deploy Black Basta ransomware and lock the victim out of their network by disabling their DNS service, making a recovery even more complex.
The QakBot infections in this campaign starts with a spam or phishing email containing malicious URL links, with QakBot being the primary method Black Basta used to retain a presence on victims’ networks.
The threat actor using Cobalt Strike during the compromise to gain remote access to the domain controller. Finally, ransomware was deployed, and the attacker then disabled security mechanisms, such as EDR and antivirus programs.
Once after the deployment, encryption is executed and generates the ransom note file, named readme.txt, in each folder Black Basta reaches on the machine. After creating the ransom note, the actual file encryption process ignites. Black Basta encrypts the files on the machine and adds a random extension to each file.
Black Basta replaces the desktop wallpaper and avoids some specific folders like C:\Windows or the Recycle Bin.
This research was documented by researchers from Cybereason and detailed recommendations given
Indicators of Compromise
- jesofidiwi[.]com (Cobalt Strike C2)
- dimingol[.]com (Cobalt Strike-related domain used for DNS exfiltration)
- tevokaxol[.]com (Cobalt Strike C2)
- vopaxafi[.]com (Cobalt Strike C2)
|Server address||Port Number|
- 75b2593da627472b1c990f244e24d4e971c939e7 (aficionado.tmp)
- 3a852c006085d0ce8a18063e17f525e950bb914c (cob_54.dll)
- 4202bf2408750589e36750d077746266176ac239 (cob_56.dll)
- Aficionado.tmp (Qbot loader)
- fwpolicyiomgr.dll (Qbot module)