• Posted by: Michael Johnson
• December 11, 2024

Black Basta Ransomware Expands Tactics with Zbot, DarkGate, and Social Engineering

The Black Basta ransomware group, infamous for its sophisticated attacks, has shifted its approach, integrating advanced social engineering techniques and deploying new malware payloads like Zbot and DarkGate. This marks an evolution in its tactics, blending technological exploitation with psychological manipulation.

New Social Engineering Techniques

Since October 2024, Black Basta has employed email bombing to overwhelm victims. This is achieved by signing up their emails to multiple mailing lists, creating chaos in their inboxes. Following this, attackers reach out, posing as legitimate support or IT personnel, often through:

1. Microsoft Teams: Impersonating organizational IT staff.
2. Remote Access Software: Urging victims to install trusted tools like AnyDesk, TeamViewer, or Microsoft's Quick Assist.

Microsoft has identified the group behind these abuses as Storm-1811.

Innovative Malware Delivery

After gaining initial access via remote access tools, the attackers:

1. Deploy Credential Harvesters: Tools to extract sensitive information.
2. Execute Payloads: Installing Zbot (aka ZLoader) or DarkGate malware.
3. Establish Reverse Shells: Using OpenSSH clients for deeper system control.

In some cases, the group sends malicious QR codes through chats to either steal credentials or redirect victims to additional malicious infrastructure.

Primary Objectives

The overarching goal remains:

1. Environmental Enumeration: Rapidly mapping the target’s digital environment.
2. Credential Theft: Harvesting credentials and VPN configurations to enable MFA bypass and direct authentication into the organization’s systems.

Malware Arsenal

Black Basta has a history of deploying custom malware for specific purposes, including:

1. KNOTWRAP: A memory-only dropper for executing payloads.
2. KNOTROCK: A .NET-based ransomware execution utility.
3. DAWNCRY: A memory-only dropper using hard-coded keys.
4. PORTYARD: A tunneler for connecting to command-and-control servers.
5. COGSCAN: Reconnaissance tools for network scanning.

Broader Ransomware Trends

Black Basta’s evolution parallels other notable ransomware campaigns:

1. Akira Ransomware: Recently updated with a Rust variant.
2. Rhysida Ransomware: Leveraging SEO poisoning and typosquatted domains to trick users into downloading infected files disguised as legitimate software like Microsoft Teams and Google Chrome.

How to Stay Protected

To combat these evolving threats:

1. Monitor Communications: Verify unexpected IT or support requests.
2. Educate Employees: Train staff to identify social engineering attempts.
3. Secure Access Tools: Limit the use of remote access software to verified sources.
4. Implement MFA: Reduce risks from credential theft.
5. Utilize Endpoint Protection: Detect and mitigate malicious payloads.

The hybrid model adopted by Black Basta demonstrates how ransomware groups are adapting their techniques to exploit both technological vulnerabilities and human psychology. Staying vigilant, educating teams, and implementing robust cybersecurity measures are essential in defending against these evolving threats.