November 27, 2022

TheCyberThrone

Thinking Security ! Always

QakBot tied with Black Basta Ransomware


Black Basta ransomware group has been reportedly spotted using QakBot malware to create a entry and move laterally within organizations’ networks.

QakBot, traditionally a banking trojan primarily used to steal victims’ financial data, including browser information, keystrokes, and credentials. Once successfully infected an environment, the malware installs a backdoor allowing the threat actor to drop additional malware– in this kind, a ransomware.

In this campaign, threat actors obtained domain administrator access in less than two hours and then moved to ransomware deployment in less than 12 hours.

In recent past, researchers observed more than ten different customers affected by this recent campaign. Among them, two allegedly allowed the threat actor to deploy Black Basta ransomware and lock the victim out of their network by disabling their DNS service, making a recovery even more complex.

The QakBot infections  in this campaign starts with a spam or phishing email containing malicious URL links, with QakBot being the primary method Black Basta used to retain a presence on victims’ networks.

The threat actor using Cobalt Strike during the compromise to gain remote access to the domain controller. Finally, ransomware was deployed, and the attacker then disabled security mechanisms, such as EDR and antivirus programs.

Once after the deployment, encryption is executed and generates the ransom note file, named readme.txt, in each folder Black Basta reaches on the machine. After creating the ransom note, the actual file encryption process ignites. Black Basta encrypts the files on the machine and adds a random extension to each file.

Black Basta replaces the desktop wallpaper and avoids some specific folders like C:\Windows or the Recycle Bin.

This research was documented by researchers from Cybereason  and detailed recommendations given

Indicators of Compromise

Domains:

  • jesofidiwi[.]com (Cobalt Strike C2)
  • dimingol[.]com (Cobalt Strike-related domain used for DNS exfiltration)
  • tevokaxol[.]com (Cobalt Strike C2)
  • vopaxafi[.]com  (Cobalt Strike C2)

IPs: 

  • 108.177.235.29 
  • 144.202.42.216
  • 108.62.118.197 

C2 addresses

Server addressPort Number
94.70.37.1452222
172.90.139.1382222
70.50.3.2142222
90.89.95.1582222
200.93.14.2062222
142.161.27.2322222
82.127.174.332222
92.207.132.1742222
92.189.214.2362222
24.64.114.592222
82.31.37.241443
87.223.80.45443
76.9.168.249443
174.115.87.57443
82.41.186.124443
131.106.168.223443
75.98.154.19443
170.253.25.35443
86.133.237.3443
73.88.173.113443
84.209.52.11443
180.151.104.143443
105.184.161.242443
24.49.232.96443
157.231.42.190443
75.143.236.149443
70.64.77.115443
137.186.193.2263389
91.165.188.7450000

Hashes (SHA1): 

  • 75b2593da627472b1c990f244e24d4e971c939e7 (aficionado.tmp)
  • 3a852c006085d0ce8a18063e17f525e950bb914c (cob_54.dll)
  • 4202bf2408750589e36750d077746266176ac239 (cob_56.dll)

File names: 

  • Aficionado.tmp (Qbot loader)
  • fwpolicyiomgr.dll (Qbot module)
  • plugin_payload54.dll
  • Plugin_payload55.dll
  • cob_54.dll
%d bloggers like this: