The ransomware gang Black Basta has been observed aggressively using the QakBot malware campaign to attack primarily US-based companies.
“In this latest campaign, the Black Basta ransomware gang is using QakBot malware to create an initial point of entry and move laterally within an organization’s network.”
Black Basta is a new ransomware that encrypts data stored on clients’ hard drives. It has been active since April 2022 and employs a double-extortion attack technique. In July 2022, the Black Basta ransomware group added a new capability that encrypts VMware ESXi virtual machines (VMs) on Linux servers, a new strain of the Black Basta ransomware that supports encryption of VMWare ESXi servers. They have been reporting on similar encryptors issued by a number of different groups, including LockBit, HelloKitty, BlackMatter, REvil, AvosLocker, RansomEXX, and Hive, among others.
Black Basta’s ransomware binary, like other Linux encryptors, will search for the /vmfs/volumes where virtual machines are kept on the compromised ESXi servers (if no such folders are found, the ransomware exits).
The QakBot malware is being used by the Black Basta ransomware gang in its most recent operation to establish an initial point of entry and migrate laterally within an organization’s network.
QBot, often known as QakBot, is modular information malware. It has been operational since 2007. This banking Trojan, QakBot steals financial data from infected systems, and a loader using C2 servers for payload targeting and download. Qakbot can propagate to other computers on the same network and allow it to mask its existence and build persistence on infected computers.
After successfully infecting an environment, QakBot installs a backdoor that allows the threat actor to release additional malware, specifically ransomware.
In the recent campaign, the attack chain starts with a spear-phishing email that contains a malicious disk image file. When this file is viewed, it launches Qbot, which in turn establishes a connection with a remote server to download the Cobalt Strike payload.
More than 10 different clients have been observed to be impacted by this latest effort in the past two weeks.
“The threat actor obtained domain administrator privileges in less than two hours and moved to ransomware deployment in less than 12 hours,”
Researchers discovered two instances in which the intrusions not only deploy the ransomware but also prevented the victims from accessing their networks by disabling the DNS service in a bid to make the process of recovery tougher. The associated file names related to the campaign include fwpolicyiomgr.dll, Aficionado.tmp (Qbot loader), plugin_payload54.dll, Plugin_payload55.dll, and cob_54.dll
Black Basta is still a very active ransomware variant. In October 2022, the gang successfully targeted 25 organizations, placing it behind LockBit, Karakurt, and BlackCat ransomware groups.
‘Given all of these observations, we recommend that security and detection teams keep an eye out for this campaign since it can quickly lead to severe IT infrastructure damage’, they conclude.