Pierluigi Paganini
November 24, 2022
Experts at the Cybereason Global SOC (GSOC) team have observed a surge in Qakbot infections as part of an ongoing aggressive Qakbot malware campaign that leads to Black Basta ransomware infections in the US.
In the last two weeks, the experts observed attacks against more than 10 different US-based customers.
Black Basta has been active since April 2022, like other ransomware operations, it implements a double-extortion attack model. Security researchers at Sentinel Labs recently shared details about Black Basta‘s TTPs and assess it is highly likely the ransomware operation has ties with FIN7.
“In this latest campaign, the Black Basta ransomware gang is using QakBot malware to create an initial point of entry and move laterally within an organization’s network. QakBot, also known as QBot or Pinkslipbot, is a banking trojan primarily used to steal victims’ financial data, including browser information, keystrokes, and credentials.” reads the report published by Cybereason. “Once QakBot has successfully infected an environment, the malware installs a backdoor allowing the threat actor to drop additional malware—namely, ransomware.”
The attack chain starts with a QBot infection, The operators use the post-exploitation tool Cobalt Strike to take over the machine and finally deploy the Black Basta ransomware. The attacks began with a spam/phishing email containing malicious URL links.
The researchers noticed that once obtained access to the network, the threat actor moves extremely fast. In some cases observed by Cybereason, the threat actor obtained domain administrator privileges in less than two hours and moved to ransomware deployment in less than 12 hours.
The threat actor was also spotted locking the victims out of the network by disabling DNS services, making the recovery even more complex.
In most of the attacks observed by the experts, the spear-phishing email contains a malicious disk image file. Upon opening the file, Qbot is executed, then the malware connects to a remote server to retrieve the Cobalt Strike payload.
Threat actors perform credential harvesting and lateral movement and use the gathered credentials to compromise as many endpoints as possible and deploy the Black Basta ransomware.
Experts observed the attackers that were looking for machines without a defense sensor in an attempt to deploy additional malicious tools without being detected.
The report includes indicators of compromise for this threat.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, Black Basta ransomware)
[adrotate banner=”5″]
[adrotate banner=”13″]
