The Black Basta ransomware group has teamed up with the QBot malware operation to propagate laterally via infiltrated business systems. QBot (QuakBot) is a Windows malware that steals bank and domain passwords, as well as delivers other malware payloads to compromised systems.
Phishing attempts using malicious attachments are the most common way for victims to become infected with Qbot. Despite its beginnings as a banking trojan, it has collaborated with many other ransomware gangs, including MegaCortex, ProLock, DoppelPaymer, and Egregor.
Black Basta is a comparatively new ransomware operation that made a strong start by infiltrating a significant number of enterprises in a short period while demanding big ransom payments. Analysts from the NCC Group identified the new alliance between Qakbot and Black Basta during the latest incident response and were able to identify the threat actor’s methods.
While most ransomware gangs employ QBot to get initial access, the Black Basta gang, according to NCC, used it to expand laterally throughout the network. The malware, in particular, installs a temporary service on the target host and configures it to run its DLL using regsvr32.exe. Once Qakbot is operational, it may infect network shares and disks, brute-force AD accounts, or propagate via default admin shares using current user credentials through the SMB (Server Message Block) file-sharing protocol.
“Qakbot was the primary method utilized by the threat actor to maintain their presence on the network. The threat actor was also observed using Cobalt Strike beacons during the compromise,” explains the NCC Group’s report. The researchers also identified a text file entitled “pc_list.txt” in the Windows folder that had a list of internal IP addresses for all systems on the network, which was most likely created by Qakbot.
In the most recent attack seen by NCC responders, the Black Basta has the same features as before. Modifying the background icon, erasing shadow copies, attaching the .basta extension to encrypted files, and establishing a corporate ID in the ransom letters are all examples of these traits. However, NCC said that the threat actors also disable Windows Defender to avoid detection and reduce the odds of the encryption stage failing.
The ransomware attackers accomplished their aim by using PowerShell commands or installing a GPO on a hacked Domain Controller to modify the Windows Registry. Inside hijacked networks, Qakbot may swiftly roam around, stealing account credentials and pivoting to nearby workstations. Even yet, because the ransomware payload isn’t downloaded right away, there’s always a window of chance for the defenders before a catastrophic event.
The trojan has several different attack paths, each with its own set of detection possibilities, but they all start with receiving a malicious email. As a result, pay special attention to this area, avoiding opening attachments or clicking on embedded links.