Friday, March 29, 2024

Black Basta Ransomware Gang Infiltrates Networks Using Penetration Testing Tools

The distribution of QAKBOT malware is resurrected once again by operators of the Black Basta ransomware group on September 8, 2022, after a short leisure break.

While the latest distribution mechanism and campaign were identified by cybersecurity researchers at Trend Micro and the attackers using Penetration Testing tools to infiltrate the targeted networks.

In this latest campaign, the threat actors are distributing the QAKBOT malware with the help of the following malicious payloads:-

  • SmokeLoader
  • Emotet
  • Malicious spam (BB and Obama20x IDs)
  • Brute Ratel C4 framework

As a second-stage payload, the attackers deployed the Qakbot malware in their recent attacks by exploiting the Brute Ratel C4 framework payload. During the attack, Cobalt Strike was also used to move laterally as part of the attack.

Technical Analysis

A malicious email ignites the whole campaign and this email contains a malicious URL that redirects the victims to a download page. Here, an archive file containing documents and files will be downloaded.

There are two things that you will find in the archive:-

  • An LNK file in the form of an ISO file
  • Two hidden subdirectories

There is a geographical distribution of C&C servers among compromised hosts, which makes the infrastructure difficult to detect. There are 28 countries where all these hosts are found within ISP broadband networks.

Each C&C server is used once by the operators of the QAKBOT malware, as they don’t use a server repeatedly, instead, they always keep changing them for more complexity. It has even been found that some of them have been saved in more than one QAKBOT configuration.

QAKBOT launches a reconnaissance operation on the network and then it drops the Brute Ratel DLL within 6 minutes of its introduction. 

The following things are identified during the subsequent reconnaissance process in the environment:- 

  • Privileged users
  • Active Directory
  • Group policies
  • Domains
  • Computers
  • Users

In order to prepare the data for exfiltration, the files are then packaged into a ZIP file, and it takes only a few seconds to accomplish this data extraction process.

QAKBOT C&C Server Countries

Here, we have compiled a list of the countries in which the C&C servers for the QAKBOT are located:-

  • Afghanistan
  • Algeria
  • Argentina
  • Austria
  • Brazil
  • Bulgaria
  • Canada
  • Chile
  • Colombia
  • Egypt
  • India
  • Indonesia
  • Japan
  • Mexico
  • Mongolia
  • Morocco
  • Netherlands
  • Qatar
  • Russia
  • South Africa
  • Taiwan
  • Thailand
  • Turkey
  • United Arab Emirates
  • United Kingdom
  • United States
  • Vietnam
  • Yemen

Apart from this, it has been detected that attackers are also using the HTML Smuggling method to deliver a password-protected ZIP file. Malicious code can be injected into HTML attachments or web pages through this technique.

Recommendations

Here below we have mentioned all the recommendations provided:-

  • Always verify the email sender.
  • Do not open or download any suspicious attachments received from an unknown sender.
  • Do not click or open any suspicious links.
  • Always verify the authenticity of embedded links by hovering over them.
  • Prior to taking any action, it is recommended that you verify if the email actually comes from the company that claims to have sent it.

Also Read: Download Secure Web Filtering – Free E-book

Website

Latest articles

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles