Saturday, January 18, 2025
Homecyber securityBeware Of New Social Engineering Attack That Delivers Black Basta Ransomware

Beware Of New Social Engineering Attack That Delivers Black Basta Ransomware

Published on

SIEM as a Service

Follow Us on Google News

Hackers exploit social engineering, which avoids technical security systems, by manipulating the psychology and behavior of a human being.

Social engineering techniques, such as baiting emails or pretexting phone calls, manipulate victims into providing confidential information or performing actions that impede security details. 

Attackers find it cheap and easy, as they need less specialist knowledge to make expensive use of trust, curiosity, or fear to trick their target.

Cybersecurity analysts at Rapid7 recently identified that threat actors have been actively exploiting a new social engineering attack that delivers Black Basta ransomware.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

Technical Analysis

Rapid7 has uncovered multiple social engineering campaigns targeting several MDR clients.

Here, the spam emails flood the victims’ inboxes to make them accept remote access via tools such as AnyDesk or Quick Assist when someone pretending to be IT support calls them.

Once connected, the attacker downloads payloads to harvest credentials and maintain persistence, which could ultimately result in ransomware viruses, as in previous Black Basta operations.

This is a new take on things as it emerged towards the end of April 2024.

The attack begins by attacking affected users with a surge of seemingly harmless newsletter signup confirmation spam emails that bypass email protections.

Spam email (SOurce – Rapid7)

Next, the attacker makes phone calls to people who are directly affected, and they pretend to be IT support in order to resolve this email issue. 

Using social engineering, the hijacker persuades users to permit remote access through AnyDesk or Windows Quick Assist.

If one user does not succeed, the attacker immediately proceeds to the next targeted through spam campaigns.

Upon access acquisition, the infiltrator executes batch scripts that look like updates to make them appear genuine. The initial script tests C2 connectivity and downloads an OpenSSH for:-

  • Windows zip file (renamed RuntimeBroker.exe)
  • RSA keys
  • Dependencies
  • SSH config files

Registry run keys pointing to extra batch files ensure persistence. These scripts loop over SSH attempts at reverse shell connections to C2 using downloaded keys. 

Some of these scripts have hard C2 coding, while others can be overridden through command-line functions. Other versions also achieve persisting via NetSupport or ScreenConnect functionalities.

In all the instances, the attacker utilized a batch script that seemed like an “update” to harvest the victims’ credentials through PowerShell, with most of them being exfiltrated immediately by means of SCP.

Aiming to move laterally, after being compromised initially, there were attempts to deploy Cobalt Strike beacons that consisted of DLL side-loading.

Although no data theft or ransomware was deployed, the indicators match previous Black Basta operations based on intelligence.

Mitigations

Here below, we have mentioned all the mitigations provided:-

  • Make sure to block all the unapproved RMM tools.
  • Block all the domains that are associated with unapproved RMM tools. 
  • Users should also be trained in social engineering.
  • Ensure robust application allow-listing is enabled.

On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Hackers Easily Bypass Active Directory Group Policy to Allow Vulnerable NTLMv1 Auth Protocol

Researchers have discovered a critical flaw in Active Directory’s NTLMv1 mitigation strategy, where misconfigured...

AWS Warns of Multiple Vulnerabilities in Amazon WorkSpaces, Amazon AppStream 2.0, & Amazon DCV

Amazon Web Services (AWS) has issued a critical security advisory highlighting vulnerabilities in specific...

FlowerStorm PaaS Platform Attacking Microsoft Users With Fake Login Pages

Rockstar2FA is a PaaS kit that mimics the legitimate credential-request behavior of cloud/SaaS platforms....

New Tool Unveiled to Scan Hacking Content on Telegram

A Russian software developer, aided by the National Technology Initiative, has introduced a groundbreaking...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Hackers Easily Bypass Active Directory Group Policy to Allow Vulnerable NTLMv1 Auth Protocol

Researchers have discovered a critical flaw in Active Directory’s NTLMv1 mitigation strategy, where misconfigured...

AWS Warns of Multiple Vulnerabilities in Amazon WorkSpaces, Amazon AppStream 2.0, & Amazon DCV

Amazon Web Services (AWS) has issued a critical security advisory highlighting vulnerabilities in specific...

FlowerStorm PaaS Platform Attacking Microsoft Users With Fake Login Pages

Rockstar2FA is a PaaS kit that mimics the legitimate credential-request behavior of cloud/SaaS platforms....