Jump to content
  • Black Basta Ransomware Gang Actively Infiltrating U.S. Companies with Qakbot Malware

    alf9872000

    • 497 views
    • 2 minutes
     Share


    • 497 views
    • 2 minutes

    Companies based in the U.S. have been at the receiving end of an "aggressive" Qakbot malware campaign that leads to Black Basta ransomware infections on compromised networks.

     

    "In this latest campaign, the Black Basta ransomware gang is using QakBot malware to create an initial point of entry and move laterally within an organization's network," Cybereason researchers Joakim Kandefelt and Danielle Frankel said in a report shared with The Hacker News.

     

    Black Basta, which emerged in April 2022, follows the tried-and-tested approach of double extortion to steal sensitive data from targeted companies and use it as a leverage to extort cryptocurrency payments by threatening to release the stolen information.

     

    This is not the first time the ransomware crew has been observed using Qakbot (aka QBot, QuackBot, or Pinkslipbot). Last month, Trend Micro disclosed similar attacks that entailed the use of Qakbot to deliver the Brute Ratel C4 framework, which, in turn, was leveraged to drop Cobalt Strike.

     

    flow.png
     

    The intrusion activity observed by Cybereason cuts out Brute Ratel C4 from the equation, instead using Qakbot to directly distribute Cobalt Strike on several machines in the infected environment.

     

    The attack chain commences with a spear-phishing email bearing a malicious disk image file that, when opened, kickstarts the execution of Qbot, which, for its part, connects to a remote server to retrieve the Cobalt Strike payload.

     

    windows.png
     

    At this stage, credential harvesting and lateral movement activities are carried out to place the red team framework on several servers, before breaching as many endpoints as possible using the collected passwords and launching the Black Basta ransomware.

     

    "The threat actor obtained domain administrator privileges in less than two hours and moved to ransomware deployment in less than 12 hours," the researchers noted, adding over 10 different customers were impacted by the fresh set of attacks in the past two weeks.

     

    In two instances spotted by the Israeli cybersecurity company, the intrusions not only deployed the ransomware but also locked the victims out of their networks by disabling the DNS service in a bid to make recovery more challenging.

     

    Black Basta remains a highly active ransomware actor. According to data gathered by Malwarebytes, the ransomware cartel successfully targeted 25 companies in October 2022 alone, putting it behind LockBitKarakurt, and BlackCat.

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...