Full Report
The threat actors linked to the Black Basta ransomware have been observed switching up their social engineering tactics, distributing a different set of payloads such as Zbot and DarkGate since early October 2024. "Users within the target environment will be email bombed by the threat actor, which is often achieved by signing up the user's email to numerous mailing lists simultaneously," Rapid7
Analysis Summary
# Tool/Technique: Black Basta Ransomware Operation
## Overview
A ransomware group, known as Black Basta (and associated with UNC4393), that emerged from the Conti ransomware lineage. They are currently observed evolving their initial access and delivery methods, shifting towards extensive social engineering campaigns utilizing platforms like Microsoft Teams and leveraging commodity malware like Zbot and DarkGate before deploying their custom ransomware components.
## Technical Details
- Type: Malware Family / Ransomware Operation
- Platform: Primarily Windows
- Capabilities: Diverse malware deployment (Zbot, DarkGate, custom tools), strong social engineering (initial contact, deceptive software installation requests), credential harvesting, environment reconnaissance, VPN credential theft, and custom ransomware execution.
- First Seen: Black Basta emerged around 2022 following the shutdown of Conti.
## MITRE ATT&CK Mapping
The execution of the observed attack chain covers multiple tactics:
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Potentially via initial email bombing/malicious links/QR codes)
- T1591 - Spearphishing for Information (Initial social engineering contact)
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
- T1059.003 - Windows Command Shell (Implied via reverse shell/payload execution)
- **TA0006 - Credential Access**
- T1003 - OS Credential Dumping (Implied by credential harvesting program)
- T1555 - Credentials from Password Stores (Via custom credential harvesting)
- **TA0007 - Discovery**
- T1087 - Account Discovery
- T1018 - Remote System Discovery (Via COGSCAN reconnaissance)
- **TA0011 - Command and Control**
- T1090 - Proxy
- T1090.002 - External Proxy (Potentially using port forwarding/tunneling components like PORTYARD)
## Functionality
### Core Capabilities
- **Social Engineering & Initial Contact:** Email bombing users, making initial contact via Microsoft Teams impersonating IT support, and manipulating users into installing legitimate remote access software (AnyDesk, ScreenConnect, TeamViewer, Quick Assist).
- **Payload Delivery:** Utilizing Zbot (ZLoader) or DarkGate post-remote access to establish a foothold and conduct reconnaissance.
- **Reconnaissance:** Using the `.NET` assembly **COGSCAN** to gather a list of hosts available on the network.
- **Credential Theft:** Deploying a custom credential harvesting program and targeting VPN configuration files.
### Advanced Features
- **Custom Malware Suite:**
- **KNOTWRAP:** A memory-only dropper written in C/C++ for executing payloads in memory.
- **KNOTROCK:** A .NET utility used specifically to execute the final ransomware payload.
- **DAWNCRY:** A memory-only dropper that decrypts an embedded resource using a hard-coded key.
- **PORTYARD:** A tunneler that uses a custom binary protocol over TCP to establish connections to a hard-coded C2 server.
- **Lateral Movement/Initial Access Abuse:** Attempts observed leveraging the OpenSSH client to establish a reverse shell.
- **QR Code Social Engineering:** Sending malicious QR codes via chat to trick users into actions like adding a trusted mobile device (or accessing malicious infrastructure).
- **MFA Bypass Potential:** Aiming to steal credentials and VPN information to potentially facilitate direct authentication, potentially bypassing MFA.
## Indicators of Compromise
*Note: Specific IOCs (hashes, domains) were not provided in the source text, only tool names used.*
- File Hashes: [Not specified in the context]
- File Names: [Various, depending on the stage, e.g., installers disguised as Microsoft Teams or Google Chrome]
- Registry Keys: [Not specified in the context]
- Network Indicators: C2 infrastructure targeted by PORTYARD (Hard-coded address using custom binary protocol).
- Behavioral Indicators: Execution of Zbot/DarkGate, use of legitimate remote access tools (AnyDesk, Quick Assist abuse), OpenSSH reverse shell activity, high volume of email correspondence (email bombing).
## Associated Threat Actors
- Black Basta
- UNC4393
- Threat Actor tracked by Microsoft as Storm-1811 (for Quick Assist abuse)
## Detection Methods
- Signature-based detection: Signatures for known Black Basta custom malware (KNOTWRAP, KNOTROCK, DAWNCRY, PORTYARD, COGSCAN) and known commodity malware (Zbot/ZLoader, DarkGate).
- Behavioral detection: Monitoring for unusual installation of legitimate remote access tools initiated via chat applications (Teams), unusual C2 communication patterns matching PORTYARD’s custom protocol, and broad reconnaissance scans.
- YARA rules: [Recommended for detecting custom binary signatures within memory or on disk for the bespoke malware.]
## Mitigation Strategies
- **Strong Verification:** Implement strict communication verification protocols, especially when staff (IT or support) request software installation or device configuration changes via chat platforms.
- **MFA Hardening:** Ensure VPNs and critical assets have strong, phishing-resistant Multi-Factor Authentication (MFA) where possible, to mitigate credential stuffing attempts.
- **Network Segmentation/Monitoring:** Monitor for anomalous connections initiated by OpenSSH clients or inbound C2 traffic across non-standard ports.
- **Application Whitelisting:** Restrict execution of unauthorized remote access software.
- **Security Awareness:** Train users against social engineering attacks via email bombing and direct chat impersonation.
## Related Tools/Techniques
- Zbot (ZLoader)
- DarkGate
- Akira (Rust variant observed using similar third-party Rust libraries)
- Elpaco (Mimic ransomware variant)
- CleanUpLoader (Used by Rhysida)
- QakBot (Previous malware used by Black Basta)