Black Basta Ransomware Gang Infiltrates U.S. Companies via Qakbot Malware
Researchers Observed a Higher Rate of Infections Targeting U.S. Organizations.
Last updated on November 24, 2022
Affiliates of Black Basta gang are notorious for employing the banking trojan known as QakBot for initial access and almost immediately deploy ransomware in IT systems belonging to worldwide organizations. However, researchers concluded that U.S. companies have been targeted by a more aggressive campaign that leads to Black Basta ransomware infections on compromised networks.
Researchers at cybersecurity company Cybereason have issued a report claiming that Black Basta takes advantage of QakBot‘s backdoor-installing features that allow gang affiliates to drop ransomware on the intended organizations and proceed to extort them.
This is a wide scale attack against many companies in the U.S. and just within the past two weeks we have mitigated the risk with more than 10 of our customers.
The report adds that the campaign operators disabled DNS services, on order to lock the victims out of their networks, a move that has severe consequences for users and administrators. Another argument for the high severity of the attacks is the speed at which the gang members operated, the campaign taking around 12 hours from using QBot for initial access, to exfiltrating sensitive data and deploying ransomware.
Black Basta is ransomware as a service (RaaS) that was first spotted in April 2022 and had been compromising and extorting over 75 organizations by August. The threat actors have been observed using Qakbot to deliver the Brute Ratel C4 (BRc4) framework, which was further leveraged to drop Cobalt Strike.
However, as The Hacker News explains, this time the intrusion activity cuts out Brute Ratel C4 from the equation, using Qakbot to directly distribute Cobalt Strike on machines in the infected network.
The attack chain starts with a spear phishing email that contains a malicious disk image file. Opening it will initiate the Qbot execution, which further connects to a remote server to retrieve the Cobalt Strike payload. Next, credential harvesting and lateral movement activities are carried out on several servers, before breaching as many endpoints as possible and launching the ransomware.
We concluded that the attacker uses an IMG file (Disk Image File, similar to the ISO format) as the initial compromise vector. We also identified other QBot infection vectors starting from ISO files, depending on the campaign.
Mihaela is a digital content creator for Heimdal® and the proud owner of an old soul and a curious mind. Passionate to learn and discover more about cybersecurity, she will gladly share her latest finds with you.