Black Basta Develops Custom Malware in Wake of Qakbot Takedown

  /     /     /  
Publicated : 23/11/2024   Category : security


Black Basta Develops Custom Malware in Wake of Qakbot Takedown


The prolific ransomware group has shifted away from phishing as the method of entry into corporate networks, and is now using initial access brokers as well as its own tools to optimize its most recent attacks.



The enormously successful
Black Basta
ransomware group has pivoted to using new custom tools and initial access techniques as part of a shift in strategy in the wake of last years takedown of the Qakbot botnet.
The evolution of the group, which has compromised more than
500 victims
and counting, demonstrates the resilience of threat groups who have had to shift tactics on the fly due to law enforcement and other disruptions, yet still somehow continue to flourish in their cybercriminal operations, experts said.
Black Bastas initial claim to fame was its
prolific use of Qakbot
, which it distributed via sophisticated and evolving phishing campaigns. As an initial access Trojan, Qakbot could then deploy a host of publicly available open source tools and ultimately the gangs namesake ransomware. However, about a year ago, the Qakbot botnet was largely put out of commission (though it has since reappeared) in a federal law-enforcement campaign called
Operation Duck Hunt
, forcing the group to find new modes of access to victim infrastructure.
Initially, Black Basta continued to use phishing and
even vishing
to deliver other types of malware, such as Darkgate and
Pikabot
, but quickly began seeking alternatives to conduct further malicious activity, researchers from Mandiant revealed
in a blog post
this week.
The group, which Mandiant tracks as UNC4393, has now settled into a transition from readily available tools to custom malware development as well as [an] evolving reliance on access brokers and diversification of initial access techniques in recent attacks, Mandiant researchers wrote in the post.
One of the new methods for initial access involves the deployment of a backdoor called SilentNight, which the group used in 2019 and 2021, respectively, before putting it on the shelf until last year. Earlier this year, the group began using it again in malvertising efforts, the researchers said, marking a notable shift away from
phishing
, which previously was the “only known means of initial access,” they wrote in the post.
SilentNight is a C/C++ backdoor that communicates via HTTP/HTTPS and may utilize a domain generation algorithm for command and control (C2). It has a modular framework that allows for plug-ins to provide versatile functionality, including system control, screenshot capture, keylogging, file management, and cryptocurrency wallet access, the researchers wrote. It also targets credentials through browser manipulation.
Once Black Basta gains access to target environments, the group uses a combo of living-off-the-land (LotL) techniques and an assortment of custom malware for persistence and lateral movement before deploying ransomware, the researchers found.
UNC4393s goal is to gather as much data as quickly as possible followed by exfiltration of the collected data to engage in multi-faceted extortion, leveraging the threat of data leakage to pressure victims into paying ransom demands, the researchers noted.
One of the first new tools deployed after gaining initial access is called Cogscan, which seems to have replaced open source tools previously used by the group, such as Bloodhound, Adfind, and PSNmap to help map out victim networks and identify opportunities for either lateral movement or privilege escalation.
Cogscan is a .NET reconnaissance tool used to enumerate hosts on a network and gather system information, and is internally referred to as GetOnlineComputers by Black Basta itself, the researchers observed.
Another notable new tool that allows Black Basta to speed up its deployment of ransomware is Knotrock, a .NET-based utility. Knotrock creates a symbolic link on network shares specified in a local text file; after creating each symbolic link, Knotrock executes a ransomware executable and provides it with the path to the newly created symbolic link.
Ultimately, Knotrock serves a dual purpose: it assists the existing Basta encryptor by providing network-communication capabilities, and streamlines operations by proactively mapping out viable network paths, thereby reducing deployment time and accelerating the encryption process, the Mandiant researchers wrote.
The malware represents an evolution in UNC4393s operations in that it boosts its capabilities by expediting the encryption process to enable larger-scale attacks and significantly decreasing its time to ransom, they noted.
Other new tools observed in recent attacks include tunneling technology for command-and-control (C2) communications dubbed Portyard, and a memory-only dropper that decrypts an embedded resource into memory called DawnCry, the researchers said.
Changes to Black Basta’s initial access and tooling demonstrate a resilience in the group that shows it will continue to remain a threat against organizations of all sizes, even if it’s moving away from phishing, which is one of the most successful forms of cybercrime, one security expert noted.
Given the success of this gang, theres no doubt they have a considerable amount of funds stocked away in their war chest, allowing them to develop their own tools and improve their

ability to attack, says Erich Kron, security awareness advocate at security firm KnowBe4.
Indeed, Black Basta’s ability to adapt and innovate in its use of new tools and techniques means that defenders, too, also must be proactive and fortify their security measures with the latest technology and threat intelligence available, the Mandiant researchers said.
Defensive measures for organizations Kron recommends include employee education and training to counter social engineering; strong data loss prevention controls to keep data from being stolen; a good
endpoint detection and response
system that can possibly spot and stop attempts to encrypt files from infected computers; and immutable and tested backups to allow for quick recovery in the event of system encryption.

Last News

▸ Some DLP Products Vulnerable to Security Holes ◂
Discovered: 23/12/2024
Category: security

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Black Basta Develops Custom Malware in Wake of Qakbot Takedown