© 2022 CyberNews - Latest tech news,
product reviews, and analyses.

If you purchase via links on our site, we may receive affiliate commissions.

Black Basta behind aggressive US-based malware campaign


Affiliates of cybergang Black Basta employ banking trojan QakBot for initial access and almost immediately deploy ransomware in victim IT systems.

Organizations from all over the world fell victim to the widespread QakBot-driven campaign. However, researchers at cybersecurity company Cybereason claim that US-based companies are targeted the most.

"This is a wide scale attack against many companies in the U.S. and just within the past two weeks we have mitigated the risk with more than 10 of our customers," Loïc Castel, Security analyst with Cybereason told Cybernews.

Threat actors use QakBot malware, also known as QBot or Pinkslipbot, to etch out an entry point to the victim's IT systems and further infect the victimized infected organization. OakBot is a banking trojan used to steal financial data and credentials.

Black Basta attack
Attack scenario diagram. Image by Cybereason.

However, the Cybereason Global SOC (GSOC) team claims that Black Basta takes advantage of OakBot's backdoor-installing features that allow cartel affiliates to drop ransomware on targeted companies and proceed to extort them.

"Cybereason assesses the risk as HIGH given how quickly Black Basta gang members are using QBot for initial access, then exfiltrating sensitive data and deploying ransomware as soon as 12 hours later," Castel said.

Interestingly, the campaign operators locked the victims out of their networks by disabling DNS services. Castel explained that DNS is central to IT infrastructure and tampering with it has severe consequences for users and administrators.

"DNS outage could keep IT admins from remotely administrating their assets and slow down the response time, i.e., making it impossible for incident responders to access the hypervisor and suspend the affected machines," Castel said.

The researchers consider the campaign's threat level high as Black Basta runs it. The group is believed to be a faction of the notorious Conti ransomware gang and FIN7 cybergang, linked with the infamous REvil and BlackMatter cartels.

"DNS outage could keep IT admins from remotely administrating their assets and slow down the response time."

Castel told Cybernews.

Dangerous image files

The QakBot campaign operators focused their sights on targets in the US. GSOC team claims that threat actors tend to move very quickly after a successful spear phishing campaign, breaching at least ten organizations in the past couple of weeks.

"We concluded that the attacker uses an IMG file (Disk Image File, similar to the ISO format) as the initial compromise vector. We also identified other QBot infection vectors starting from ISO files, depending on the campaign," researchers claim.

Besides phishing, malicious actors try to access the target system using Cobalt Strike. Campaign operators attempt to gain remote access and disable security mechanisms so as not to alert admins about the oncoming ransomware deployment.

The campaign's final stage, the GSOC team surmises, was to infect as many machines as possible and globally deploy Black Basta ransomware.

The Black Basta ransomware group was spotted in April 2022 and has victimized over 100 organizations thus far. The gang is operating as a ransomware-as-a-service (RaaS) provider. Like other infamous ransomware cartels, the gang employs double extortion tactics to muscle victims into paying the ransom.


More from Cybernews:

Database of nearly 500 million WhatsApp users’ mobile phones is up for sale

Amazon, Roblox, and Paypal users beware: crooks are after your payment data

US-funded Radio Free Asia agency reports summertime hack

The Smith Family targeted: crooks steal payment details from Australian children's charity

WhatsApp, LinkedIn actively exploited to hijack Facebook Business accounts

Subscribe to our newsletter



Leave a Reply

Your email address will not be published. Required fields are marked