A new face on the ransomware scene has used a 14-year-old malware variant to help it maintain persistence on a targeted network in a recent attack, researchers have now discovered.
The new cyber-criminal group used the ‘ever-evolving’ info-stealing trojan to move ‘laterally’ on a network in a recent attack, researchers have found.
Black Basta, a ransomware group that emerged in April, used Qbot, (a.k.a. Quakbot), to move laterally on a compromised network, researchers from security consulting firm NCC Group wrote in a blog post published this week. Researchers also observed, in detail, how Black Basta operates.
“Qakbot was the primary method utilised by the threat player to maintain their presence on the network,” NCC Group’s Ross Inman & Peter Gurney wrote in the post.
Qbot emerged in 2008 as a Windows-based info-stealing trojan capable of keylogging, exfiltrating cookies, & lifting online banking details & other credentials.
Since then it has gone through constant evolution, changing into sophisticated malware with clever detection-evasion & context-aware delivery tactics, as well as phishing capabilities that include e-mail hijacking, amongst others.
Black Basta is, by contrast, a relative newbie when it comes to cyber-criminality. The first reports of an attack by the ransomware group occurred just a few months ago.
Black Basta, like many others of its type, uses double-extortion attacks in which data is 1st taken from the network before the ransomware is deployed. The group then threatens to leak the data on a Tor site that it uses only for this purpose.
Qbot in the Mix
It’s not unusual for ransomware groups to use Qbot in the 1st compromise of a network. However, Black Basta’s use of it seems to be unique, researchers stated.
“The seriousness & efficiency of the collaboration cannot be underestimated,” observed Garret Grajek, CEO of security firm You Attest, who explained the finding also increases difficulty in terms of how organisations must protect themselves.
NCC Group discovered the attack when they noticed a text file in the C:\Windows\ folder named pc_list.txt that was present on 2 compromised domain controllers, they revealed.
“Both contained a list of internal IP addresses of all the systems on the network,” researchers wrote. “This was to supply the threat actor with a list of IP addresses to target when deploying the ransomware.”
Once the ransomware group gained access to the network & created a PsExec.exe in the C:\Windows\folder, it used Qbot remotely to create a temporary service on a target host, which was configured to execute a Qakbot DLL using regsvr32.exe, researchers wrote.
To proceed with lateral movement, Black Basta then used RDP along with the deployment of a batch file called rdp.bat–which contained command lines to enable RDP logons. This allowed the threat player to establish remote desktop sessions on compromised hosts, which occurred even if RDP was disabled originally, researchers explained.
Evasion Tactics & Ransomware Execution
Researchers managed to observe specific characteristics of a Black Basta attack in their investigation of the incident, including how it evades detection as well as executes ransomware on the compromised system, they stated.
The group commences bad activity on a network even before it deploys ransomware by establishing RDP sessions to Hyper-V servers, modifying configurations for the Veeam backup jobs & deleting the backups of the hosted virtual machines, researchers observed.
It then uses WMI (Windows Management Instrumentation) to toss out ransomware, they commented.
During the attack, 2 specific steps also were taken as evasion tactics to prevent detection & disable Windows Defender.
One was to deploy the batch script d.bat locally on compromised hosts & execute PowerShell commands, while another involved creating a GPO (Group Policy Object) on a compromised Domain Controller.
The latter would make changes to the Windows Registry of domain-joined hosts to slip through protections, researchers outlined.
When deployed, Black Basta ransomware itself, like many ransomware versions, doesn’t encrypt the entire file, researchers found. Instead, it “only partially encrypts the file to increase the speed & efficiency of encryption,” by encrypting 64-byte blocks of a file interspaced by 128-bytes, they wrote.
To modify files, the group also uses an earlier-generated RSA encrypted key and 0x00020000, which are appended to the end of the file to be used later for decryption purposes, researchers explained.
Following successful encryption of a file, its extension is changed to .basta, which automatically adjusts its icon to the earlier drop icon file, they concluded.