The criminal group behind Black Basta ransomware has recently incorporated new social engineering strategies, deploying malicious payloads including Zbot and DarkGate since October 2024. This evolution indicates a more sophisticated approach in their methods of attack.

Key Tactics and Techniques

Email Bombing: Black Basta initiates their attacks by overwhelming target users with a flood of emails. According to cybersecurity firm Rapid7, this is often done by subscribing users to numerous mailing lists. Following the email deluge, the attackers make contact with the victims pretending to be company IT staff.

Social Engineering: The group uses platforms like Microsoft Teams to pose as tech support, encouraging users to install legitimate remote access software like AnyDesk or TeamViewer, thereby gaining unauthorized access to systems. Microsoft has been tracking this group under the alias Storm-1811 due to their exploitation of Quick Assist.

Malicious Use of OpenSSH and QR Codes: Attackers have been observed utilizing OpenSSH to create a reverse shell and have sent QR codes in chats with the intention of credential theft, posing as efforts to add trusted devices. ReliaQuest suggests these codes may redirect users to malicious sites.

Payload Delivery and Objectives

After initial access, the threat actors use remote access software to deliver further malicious tools to compromised systems. This includes a unique credential harvesting program leading to the deployment of Zbot or DarkGate malware, which serves as potential entry points for further attacks. The ultimate goal, as outlined by Rapid7's Tyler McGraw, is to rapidly gain comprehensive access to the victim's environment, exfiltrate credentials, and possibly bypass security measures like VPN and multi-factor authentication.

Evolution of Black Basta

Emerging from the dissolution of Conti in 2022, Black Basta, also known as UNC4393, originally relied on QakBot but has since expanded its methods to include various bespoke malware, such as:

KNOTWRAP: A memory-only dropper executing payloads directly in memory.

KNOTROCK: A .NET tool used for deploying ransomware.

DAWNCRY: A dropper decrypting embedded resources with a fixed key.

PORTYARD: A tunneling tool connecting to C2 servers with a custom protocol.

COGSCAN: A .NET utility for network reconnaissance.

Expert Insights

Yelisey Bohuslavskiy from RedSense emphasizes that Black Basta's strategic transition from traditional botnet methods to integrating social engineering reflects an adaptive threat landscape.

Broader Implications

The disclosure aligns with new findings by Check Point, analyzing a Rust-based update to Akira ransomware, and highlights broader trends such as SEO poisoning by criminal groups like Rhysida, utilizing typosquatted domains to distribute malware disguised as legitimate software downloads.

The link has been copied!