Cyber Security News

Black Basta Ransomware Leverages Microsoft Teams To Deliver Malicious Payloads

In a resurgence since May 2024, the Black Basta ransomware campaign has exhibited a troubling escalation in its attack methods, incorporating a multi-stage infection chain that blends social engineering, a custom packer, a mix of malware payloads, and advanced delivery techniques. 

In order to distribute malicious commands that serve as the initial infection vector, the attackers take advantage of the trust that members of collaboration platforms like Microsoft Teams have in one another. 

When unsuspecting users execute these commands, a custom packer of unknown origin obfuscates a diverse arsenal of payloads that may include a credential harvester designed to steal login credentials for lateral movement within the network or obfuscated variants of the Black Basta ransomware itself. 

An operator stalls for time.

YARA rules have been developed and made available to the public by security researchers in order to identify this custom packer, which will assist defenders in early detection.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar  

Beyond the custom packer, Black Basta has also been observed leveraging DarkGate, a malicious shellcode capable of a comprehensive range of harmful actions. 

DarkGate can be used to terminate processes, steal information, manipulate the system (reboot, shutdown, crash), and potentially re-infect compromised machines.

The inclusion of Zbot, a credential-stealing trojan, within Black Basta’s malware arsenal strengthens the argument for a multi-stage attack structure.  

The credential harvesting prompt shown to the user upon executing the DLL

The initial phase, likely involving social engineering tactics delivered via malicious Teams commands, seeks to bypass security defenses and establish a foothold within the target network. 

Following a successful compromise, the custom packer unpacks the next-stage payload, which could be either the credential harvester or the obfuscated ransomware executable. 

The credential harvester steals login credentials to facilitate lateral movement within the compromised network, while the ransomware encrypts critical data to extort a ransom payment from the victim. 

DarkGate displays its version using a debug message box.

Once a foothold is established and credentials are harvested, Black Basta injects DarkGate, which can then be used to achieve lateral movement within the network, steal sensitive data from various sources, potentially establish persistence on the compromised system to ensure continued access even after a reboot, and potentially re-infect the machine in case of reboot attempts. 

According to Rapid7, effective defenses should be able to identify these social engineering ploys, unpack malicious payloads using tools like the aforementioned YARA rules, and ultimately thwart ransomware deployment. 

Organizations should prioritize educating employees on cybersecurity best practices, including remaining vigilant of suspicious messages or commands within collaboration platforms and reporting such instances immediately. 

By implementing a layered security approach that combines technical controls with user awareness training, organizations can significantly enhance their defenses against the evolving tactics of the Black Basta ransomware campaign.

Analyse Real-World Malware & Phishing Attacks With ANY.RUN - Get up to 3 Free Licenses

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

New Android Spyware Tricks Users by Demanding Passwords for Uninstallation

A newly identified Android spyware app is elevating its tactics to remain hidden and unremovable…

17 minutes ago

Malicious PDFs Responsible for 22% of All Email-Based Cyber Threats

Malicious PDF files have emerged as a dominant threat vector in email-based cyberattacks, accounting for…

32 minutes ago

Ex-ASML Russian Employee Smuggled Trade Secrets to Moscow via USB

A former employee of Dutch semiconductor firm ASML, identified as German A. (43), stands accused…

3 hours ago

Critical Apache Parquet Vulnerability Allows Remote Code Execution

A severe vulnerability has been identified in the Apache Parquet Java library, specifically within its parquet-avro module.…

3 hours ago

Halo ITSM Vulnerability Lets Attackers Inject Malicious SQL Code

A critical security flaw has been discovered in Halo ITSM, an IT support management software widely…

5 hours ago

Australian Pension Funds Hacked: Members Face Financial Losses

Several of Australia’s largest superannuation funds have been targeted in a coordinated cyberattack, leading to…

6 hours ago