Black Basta Ransomware Leverages Microsoft Teams To Deliver Malicious Payloads

In a resurgence since May 2024, the Black Basta ransomware campaign has exhibited a troubling escalation in its attack methods, incorporating a multi-stage infection chain that blends social engineering, a custom packer, a mix of malware payloads, and advanced delivery techniques. 

In order to distribute malicious commands that serve as the initial infection vector, the attackers take advantage of the trust that members of collaboration platforms like Microsoft Teams have in one another. 

When unsuspecting users execute these commands, a custom packer of unknown origin obfuscates a diverse arsenal of payloads that may include a credential harvester designed to steal login credentials for lateral movement within the network or obfuscated variants of the Black Basta ransomware itself. 

YARA rules have been developed and made available to the public by security researchers in order to identify this custom packer, which will assist defenders in early detection.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar  

Beyond the custom packer, Black Basta has also been observed leveraging DarkGate, a malicious shellcode capable of a comprehensive range of harmful actions. 

DarkGate can be used to terminate processes, steal information, manipulate the system (reboot, shutdown, crash), and potentially re-infect compromised machines.

The inclusion of Zbot, a credential-stealing trojan, within Black Basta’s malware arsenal strengthens the argument for a multi-stage attack structure.  

The initial phase, likely involving social engineering tactics delivered via malicious Teams commands, seeks to bypass security defenses and establish a foothold within the target network. 

Following a successful compromise, the custom packer unpacks the next-stage payload, which could be either the credential harvester or the obfuscated ransomware executable. 

The credential harvester steals login credentials to facilitate lateral movement within the compromised network, while the ransomware encrypts critical data to extort a ransom payment from the victim. 

Once a foothold is established and credentials are harvested, Black Basta injects DarkGate, which can then be used to achieve lateral movement within the network, steal sensitive data from various sources, potentially establish persistence on the compromised system to ensure continued access even after a reboot, and potentially re-infect the machine in case of reboot attempts. 

According to Rapid7, effective defenses should be able to identify these social engineering ploys, unpack malicious payloads using tools like the aforementioned YARA rules, and ultimately thwart ransomware deployment. 

Organizations should prioritize educating employees on cybersecurity best practices, including remaining vigilant of suspicious messages or commands within collaboration platforms and reporting such instances immediately. 

By implementing a layered security approach that combines technical controls with user awareness training, organizations can significantly enhance their defenses against the evolving tactics of the Black Basta ransomware campaign.

Analyse Real-World Malware & Phishing Attacks With ANY.RUN - Get up to 3 Free Licenses