The Black Basta ransomware group is using Qakbot malware — also known as QBot or Pinkslipbot — to perpetrate an aggressive and widespread campaign using an .IMG file as the initial compromise vector.
More than 10 different customers have been targeted by the campaign in the last two weeks, mostly focused on companies based in the US.
According to a threat advisory posted by the Cybereason Global SOC (GSOC) on Nov. 23, the infections begin with either a spam or phishing email, which contain malicious URL links, with Black Basta deploying Qakbot as the primary method to maintain a presence on victims’ networks.
“In this latest campaign, the Black Basta ransomware gang is using Qakbot malware to create an initial point of entry and move laterally within an organization’s network,” the report noted.
While Qakbot started out as a banking Trojan, different groups have augmented its capabilities with additional modules, using it as an infostealer, a backdoor, and a downloader. Qakbot has also recently switched up its method of delivering its malicious payload — from JavaScript to VBS.
“We also observed the threat actor using Cobalt Strike during the compromise to gain remote access to the domain controller,” the research team noted. “Finally, ransomware was deployed, and the attacker then disabled security mechanisms, such as EDR and antivirus programs.”
The report singles out the swiftness with which the attacks are taking place, with ransomware deployed in less than half a day after obtaining domain administrator privileges in under two hours.
In more than one attack, the GSOC team observed the threat actor disabling DNS services, locking the victim out of the network, and making recovery more difficult.
“Given all of these observations, we recommend that security and detection teams keep an eye out for this campaign, since it can quickly lead to severe IT infrastructure damage,” the report noted.
The report encourages organizations to identify and block malicious network connections, reset Active Directory access, engage incidence response, and cleanse compromised machines, which includes isolating and reimaging all infected machines.
Qakbot Ramps Up Operations, Adding Capabilities
The Qakbot group has recently ramped up its operations, infecting systems, installing attack frameworks, and selling access to other groups, including Black Basta.
In September, it resumed expanding its access-as-a-service network, successfully compromising hundreds of companies with common second-stage payloads, including Emotet malware and two popular attack platforms.
In June Qakbot operators were observed using DLL sideloading to deliver malware, a technique that places legitimate and malicious files together in a common directory to avoid detection.
Black Basta Backed by FIN7
Black Basta, one of this year’s most prolific ransomware families, offers its ransomware-as-a-service (RaaS) offering in various underground forums, which means multiple operators have access to Black Basta in their toolset, making attribution difficult.
The group has been active since at least February, although it was only discovered two months later targeting VMware ESXi virtual machines running on enterprise Linux servers, encrypting files inside a targeted volumes folder. The group has targeted English-speaking countries on a global scale.
Evidence has recently emerged that FIN7, a financially motivated cybercrime organization estimated to have stolen well over $1.2 billion since surfacing in 2012, is behind Black Basta, according to researchers at SentinelOne.
