Researchers say Black Basta is dropping QBot malware – also called QakBot – in a widespread ransomware campaign targeting mostly U.S.-based companies.
In the group’s latest campaign, attackers are again using QBot to install a backdoor and then drop in encryption malware and other malicious code, according to Cybereason.
The Black Basta ransomware gang surfaced in April 2022 and was observed using QBot malware to create an initial point of entry and move laterally within the targeted organization’s network.
QBot malware is a banking Trojan, primarily designed to steal banking data, including browser information, keystrokes and credentials. Its previous targets include JPMorgan Chase, Citibank, Bank of America, Citizens, Capital One and Wells Fargo.
The latest campaign, tracked by Cybereason’s global SOC, uncovered that Black Basta is specifically targeting organizations in the United States, Canada, the United Kingdom, Australia and New Zealand.
“The group is known for using double-extortion tactics. They steal sensitive files and information from victims and later use it to extort victims by threatening to publish the data unless the ransom is paid,” researchers say.
In one example, researchers describe how a QBot infection resulted in multiple key machines loading Cobalt Strike, which triggered the deployment of Black Basta ransomware. Also, threat actors locked the victim out of the network by disabling DNS services, making recovery more difficult.
“With the threat actors attempting to deploy the ransomware within approximately 12 hours of the initial breach, I’d classify this campaign as a real risk to companies,” Loïc Castel, incident response investigator at Cybereason, tells Information Security Media Group.
Castel says the short time frame between this QBot campaign and the deployment of Black Basta shows a link between QBot operators and the Black Basta ransomware-as-a-service group.
“It was previously understood that BlackBasta operatives used to buy access to networks and then deploy their ransomware, and that isn’t the case in this campaign due to the timeline of events,” Castel tells ISMG.
Multiple infections of Black Basta using QBot were observed in early November. They began with a spam/phishing email containing malicious URL links. QBot was the primary way for Black Basta to maintain a presence on victims’ networks and disable their security mechanisms, such as EDR and antivirus programs.
Deployment of Black Basta
The attack typically begins with a phishing email that infects targeted machines and expands control to the network to gather information and credentials to further deploy Black Basta ransomware into as many systems as possible.
The threat actor also scans for the EDR installed on the machine, through the wmic.exe executable. The hacker manually spawns a cmd.exe process on one server and then tries to uninstall the EDR/antivirus.
“It is likely the threat actor was looking for machines without a sensor to deploy additional malicious tools without being detected,” the researchers say.
Once the ransomware is deployed, it generates a ransom note file, named readme.txt, in each encrypted folder of every infected machine. Once created, the actual file encryption process executes, files on each machine are encrypted and a random extension is added to each file.