Jump to content
  • Black Basta ransomware gang linked to the FIN7 hacking group

    alf9872000

    • 336 views
    • 4 minutes
     Share


    • 336 views
    • 4 minutes

    Security researchers at Sentinel Labs have uncovered evidence that links the Black Basta ransomware gang to the financially motivated hacking group FIN7, also known as "Carbanak."

     

    When analyzing tools used by the ransomware gang in attacks, the researchers found signs that a developer for FIN7 has also authored the EDR (Endpoint Detection and Response) evasion tools used exclusively by Black Basta since June 2022.

     

    Further evidence linking the two includes IP addresses and specific TTPs (tactics, techniques, and procedures) used by FIN7 in early 2022 and seen months later in actual Black Basta attacks.

    Background

    FIN7 is a Russian-speaking, financially motivated hacking group that has been active since at least 2015, deploying POS malware and launching targeted spear-phishing attacks against hundreds of firms.

     

    In 2020, the group started exploring the ransomware space, and by October 2021, it was revealed that it had set up its own network intrusion operation.

     

    A 2022 Mandiant report explained that FIN7 was working with various ransomware gangs, including Maze, Ryuk, Darkside, and BlackCat/ALPHV, apparently carrying out the initial compromise.

     

    Black Basta is a ransomware operation launched in April 2022, showing signs of previous experience by immediately announcing multiple high-profile victims and convincing many analysts it was a Conti rebrand, or at least contained members from the now-shutdown operation.

     

    The new ransomware operation has kept a closed profile, not promoting itself as a ransomware-as-a-service or recruiting affiliates, indicating it may be a private group.

    FIN7 developer

    Starting from June 2022 and onwards, Black Basta was observed deploying a custom EDR evasion tool used exclusively by its members.

     

    By digging deeper into this tool, Sentinel Labs found an executable, "WindefCheck.exe," that displays a fake Windows Security GUI and tray icon that gives users the illusion that Windows Defender is working normally.

     

    In the background, though, the malware disables Windows Defender, EDR, and antivirus tools, ensuring that nothing will jeopardize the data exfiltration and encryption process.

     

    This tool is illustrated below, where the top image shows the fake Windows Security screen, with various security settings appearing to be enabled and protecting the device. 

     

    However, the screen underneath shows the actual status of these security settings being disabled.

     

    fake-display.png

    Tool showing fake Windows security screen, with real one underneath (Sentinel Labs)

     

    The analysts retrieved more samples linked to that tool and found one packed with an unknown packer, which was identified as ‘SocksBot,’ a backdoor that FIN 7 has been using and developing since at least 2018.

     

    Furthermore, the backdoor connects to a C2 IP address belonging to "pq.hosting," a bulletproof hosting provider FIN7 trusts and uses regularly.

     

    “We assess it is likely the threat actor developing the impairment tool used by Black Basta is the same actor with access to the packer source code used in FIN7 operations, thus establishing for the first time a possible connection between the two groups,” explains the report by Sentinel Labs.

     

    Additional evidence of a connection between FIN7 and Black Basta concerns FIN7’s early 2022 experimentation with Cobalt Strike and Meterpreter C2 frameworks in simulated malware-dropping attacks.

     

    packer-comparison.png

    Cobalt Strike beacon and SocksBot sample packed with the same packer (Sentinel Labs)

     

    The same activity using the exact custom tools, plugins, and delivery methods was observed many months later in actual attacks by Black Basta.

     

    While these technical similarities point to Fin7 members being part of the Black Basta operation, it is still unclear whether they are just devs for the group, operators, or affiliates using their own tools during attacks.

     

    For those interested in learning more about Black Basta's TTPs, researcher Max Malyutin also published a report on Monday detailing how QBot infections and AV evasion are linked to the ultimate deployment of the group's ransomware.

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...