QBot Now Attacks Using Black Basta Ransomware
The Ransomware Operation Is Now Able to Propagate Laterally Across Hijacked Business Networks.
QBot is a banking virus active since 2007 that steals user data and banking credentials. The malware contains novel distribution methods, C2 tactics, and anti-analysis characteristics. Some campaigns distribute Qbot directly, but it’s also a supplementary payload for Emotet.
QBot (QuakBot) is a Windows malware that steals bank credentials, and Windows domain credentials, and delivers further malware payloads on infected devices.
The Black Basta ransomware operation has teamed up with the QBot malware operation in order to propagate laterally across business networks that have been hijacked.
Phishing attempts that include malicious attachments are the typical vector via which Qbot infects its victims. In spite of the fact that it began as a banking trojan, it has been involved in a number of partnerships with other ransomware gangs, some of which include MegaCortex, ProLock, DoppelPaymer, and Egregor.
Black Basta is a relatively new ransomware operation that got off to a very good start, penetrating a huge number of enterprises in a very short amount of time while simultaneously demanding significant ransom payments.
According to BleepingComputer, the analysts from the NCC Group made the discovery of the new alliance between Qakbot and Black Basta during a recent incident response. During this incident response, the analysts were able to identify the strategies used by the threat actor.
Black Basta are a ransomware group who have recently emerged, with the first public reports of attacks occurring in April this year. As is popular with other ransomware groups, Black Basta uses double-extortion attacks where data is first exfiltrated from the network before the ransomware is deployed. The threat actor then threatens to leak the data on the “Black Basta Blog” or “Basta News” Tor site. There are two Tor sites used by Black Basta, one which leaks stolen data and one which the victims can use to contact the ransomware operators. The latter site is provided in the ransom note which is dropped by the ransomware executable.
According to the NCC, the Black Basta gang used QBot not for the initial access that ransomware gangs generally employ, but rather for the purpose of spreading laterally across the network, which means that the virus installs a temporary service on the target host and configures it to run its DLL using the program regsvr32.exe. It does this all across the network.
Once Qakbot is operational, it is able to infect network shares and drives, brute-force Active Directory accounts, or use the SMB (Server Message Block) file-sharing protocol to create copies of itself or spread via default admin shares using current user credentials. It can also infect AD accounts by using the SMB file-sharing protocol.
How Can Heimdal Help?
Ransomware is the most popular threat nowadays with advanced techniques hard to fight with. It’s important to have the best cybersecurity solutions especially if you want to keep your business protected and up and running. Do not let ransomware give you a bad time and check out our Ransomware Encryption Protection will help your company stay away from malicious encryption attempts, and is packed with efficient detection features.