Experts link the Black Basta ransomware operation to FIN7 cybercrime gang

Pierluigi Paganini November 03, 2022

Sentinel Labs found evidence that links the Black Basta ransomware gang to the financially motivated hacking group FIN7.

Security researchers at Sentinel Labs shared details about Black Basta‘s TTPs and assess it is highly likely the ransomware operation has ties with FIN7.

The experts analyzed tools used by the ransomware gang in attacks, some of them are custom tools, including EDR evasion tools. SentinelLabs believes the developer of these EDR evasion tools is, or was, a developer for FIN7 gang.

Further evidence linking the two includes IP addresses and specific TTPs (tactics, techniques, and procedures) used by FIN7 in early 2022 and seen months later in actual Black Basta attacks.

Black Basta has been active since April 2022, like other ransomware operations, it implements a double-extortion attack model.  

On the other end, FIN7 is a Russian financially motivated group that has been active since at least 2015. It focused on deploying POS malware and launching targeted spear-phishing attacks against organizations worldwide.

The Sentinel Labs’s analysis revealed that Black Basta ransomware operators develop and maintain their own toolkit, they documented only collaboration with a limited and trusted set of affiliates.

“SentinelLabs began tracking Black Basta operations in early June after noticing overlaps between ostensibly different cases. Along with other researchers, we noted that Black Basta infections began with Qakbot delivered by email and macro-based MS Office documents, ISO+LNK droppers and .docx documents exploiting the MSDTC remote code execution vulnerability, CVE-2022-30190.” reads the report published by the experts. “One of the interesting initial access vectors we observed was an ISO dropper shipped as “Report Jul 14 39337.iso” that exploits a DLL hijacking in calc.exe.”

The report details Black Basta’s initial access activity, manual reconnaissance, lateral movements, privilege escalation techniques, and remote admin tools.

In order to weaken the security defenses installed on the target machine, Black Basta targets installed security solutions with specific batch scripts downloaded into the Windows directory.

The threat actors were disabling Windows Defender executing the following scripts:

\Windows\ILUg69ql1.bat
\Windows\ILUg69ql2.bat
\Windows\ILUg69ql3.bat

The attackers also used the same naming convention (ILUg69ql followed by a digit) for batch scripts found in different intrusions.

powershell -ExecutionPolicy Bypass -command "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force"
powershell -ExecutionPolicy Bypass -command "Set-MpPreference -DisableRealtimeMonitoring 1"
powershell -ExecutionPolicy Bypass Uninstall-WindowsFeature -Name Windows-Defende

The DisableAntiSpyware parameter allows disabling the Windows Defender Antivirus in order to deploy another security solution. The DisableRealtimeMonitoring is used to disable real time protection and then Uninstall-WindowsFeature -Name Windows-Defender to uninstall Windows Defender.

The experts noticed that starting from June 2022, Black Basta operators deployed a previously undocumented custom EDR evasion tool.

The researchers discovered a custom tool, WindefCheck.exe, which is an executable packed with UPX. The sample is a binary compiled with Visual Basic which displays a fake Windows Security GUI and tray icon with a “healthy” system status, even if Windows Defender and other system functionalities are disabled.

In the background, the malware disables Windows Defender, EDR, and antivirus tools before dropping the ransomware payload.

black basta custom tool Fi7

The researchers discovered multiple samples linked to the above tool and found one packed with an unknown packer, which was identified as ‘SocksBot. (aka BIRDDOG)’ It is a backdoor that was used by the FIN7 group since at least 2018, it also connects to a C2 IP address 45[.]67[.]229[.]148 belonging to “pq.hosting,” a bulletproof hosting provider used by FIN7 in its operations.

“We assess it is highly likely the BlackBasta ransomware operation has ties with FIN7. Furthermore, we assess it is likely that the developer(s) behind their tools to impair victim defenses is, or was, a developer for FIN7.” concludes the report. “As we clarify the hand behind the elusive Black Basta ransomware operation, we aren’t surprised to see a familiar face behind this ambitious closed-door operation. While there are many new faces and diverse threats in the ransomware and double extortion space, we expect to see the existing professional criminal outfits putting their own spin on maximizing illicit profits in new ways.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, FIN7)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment