Rewterz Threat Alert – Black Basta Ransomware Group Targeting US Companies With Aggressive QakBot Campaign – Active IOCs

Severity

High

Analysis Summary

The ransomware gang Black Basta has been observed aggressively using the QakBot malware campaign to attack primarily US-based companies.

“In this latest campaign, the Black Basta ransomware gang is using QakBot malware to create an initial point of entry and move laterally within an organization’s network.”

Black Basta is a new ransomware that encrypts data stored on clients’ hard drives. It has been active since April 2022 and employs a double-extortion attack technique. In July 2022, the Black Basta ransomware group added a new capability that encrypts VMware ESXi virtual machines (VMs) on Linux servers, a new strain of the Black Basta ransomware that supports encryption of VMWare ESXi servers. They have been reporting on similar encryptors issued by a number of different groups, including LockBit, HelloKitty, BlackMatter, REvil, AvosLocker, RansomEXX, and Hive, among others.
Black Basta’s ransomware binary, like other Linux encryptors, will search for the /vmfs/volumes where virtual machines are kept on the compromised ESXi servers (if no such folders are found, the ransomware exits).
The QakBot malware is being used by the Black Basta ransomware gang in its most recent operation to establish an initial point of entry and migrate laterally within an organization’s network.

QBot, often known as QakBot, is modular information malware. It has been operational since 2007. This banking Trojan, QakBot steals financial data from infected systems, and a loader using C2 servers for payload targeting and download. Qakbot can propagate to other computers on the same network and allow it to mask its existence and build persistence on infected computers. 
After successfully infecting an environment, QakBot installs a backdoor that allows the threat actor to release additional malware, specifically ransomware.

In the recent campaign, the attack chain starts with a spear-phishing email that contains a malicious disk image file. When this file is viewed, it launches Qbot, which in turn establishes a connection with a remote server to download the Cobalt Strike payload.

source:

More than 10 different clients have been observed to be impacted by this latest effort in the past two weeks.

“The threat actor obtained domain administrator privileges in less than two hours and moved to ransomware deployment in less than 12 hours,” 

Researchers discovered two instances in which the intrusions not only deploy the ransomware but also prevented the victims from accessing their networks by disabling the DNS service in a bid to make the process of recovery tougher.

Black Basta is still a very active ransomware variant. In October 2022, the gang successfully targeted 25 organizations, placing it behind LockBit, Karakurt, and BlackCat ransomware groups.

‘Given all of these observations, we recommend that security and detection teams keep an eye out for this campaign since it can quickly lead to severe IT infrastructure damage’, they conclude.

Impact

• Financial Theft
• Information Theft
• File Encryption

Indicators of Compromise

Domain Name

• jesofidiwi.com
• dimingol.com
• tevokaxol.com
• vopaxafi.com

IP

108.177.235.29
108.62.118.197

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicator of compromise (IOCs) in your environment utilizing your respective security controls
• Disable auto-mounting of disk image file.
• Engage Incident Response
• Maintain cyber hygiene by updating your anti-virus software and implementing patch management lifecycle.
• Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
• Emails from unknown senders should always be treated with caution.
• Never trust or open links and attachments received from unknown sources/senders