Black Basta Ransomware Gang Uses Qakbot to Deploy Brute Ratel C4

Researchers observed the threat actor behind the notorious Black Basta ransomware. They found that they were using Qakbot trojan to deploy the Brute Ratel C4 framework in several attacks, continuously targeting networks with QAKBOT, Brute Ratel, and Cobalt Strike. The findings were revealed in a report shared by Trend Micro. 

The report comes after the nascent adversary simulation software, injected into the victims’ systems via a Qakbot infection, was exploited. Initially, the infiltration started with a simple phishing email embedded with a ZIP archive containing phishing email embedded with a ZIP archive that had a Cobalt Strike for lateral movement of the attack phase. 

Black Basta Exploits penetration tools 

The Black Basta ransomware gang wasted no time claiming its place in the underground hacking forums and upgraded itself with strategies and toolsets. The group operated as ransomware-as-a-service (RaaS) and was spotted for the first time in April 2022 by ransomware researcher Michael Gillespie.  

The ransomware gang used the products and services initially designed for conducting penetration testing. However, the tools’ ability to remotely control devices and networks seemed to have backfired. Thus the threat actors are now equally interested in getting their hands on pen-testing tools. 

Though this is not the first time that threat actors have used penetration tools for hacking, the Black Basta ransomware gang goes up and beyond to refine their tactics by employing multiple tools for infiltrating an organization. The threat attackers aim to weaken the company’s cybersecurity posture and then take over their data using encryption. 

Since last month, several malware sellers in the underground markets have been selling the cracked version of Brute Ratel C4, along with QuackBot, which has been active as an information stealer and banking trojan since 2007. The hackers seem to have used all the resources to deploy attacks on their victims, with Brute Ratel C4 and QuackBot being their flagship toolsets for infiltrating organizations.   

Technical analysis of the attack 

To complete the Qakbot infection using the retrieval of Brute Ratel and Cobalt Strike, the threat actors needed to perform an automated reconnaissance via tools such as arp, ipconfig, nslookup, netstat, and whoami.  

The technical analysis of the zip file revealed that it contained an ISO file that fetches the Qakbot payload via an LNK file. According to Trend Micro report, this limitation stopped the threat actor from spreading more malware into the victim system. 

In the further evaluation of the attacks, the cybersecurity company spotted a Qakbot execution chain wherein a ZIP file is delivered to the victim computers via HTML smuggling, leading to a Brute Ratel C4 attack. According to the researchers, the Black Basta Ransomware group is linked to the Qakbot-to-Brute Ratel-to-Cobalt Strike murder chain. This is based on infrastructure and overlapping TTP found in Black Basta assaults. 

The findings are consistent with a recent rise in Qakbot assaults using various tactics, including email thread hijacking, DLL side-loading, and email attachments. The latter involved gathering emails in bulk from successful ProxyLogon attacks against Microsoft Exchange servers.  

Black Basta Attacked 50+ firms in 2022

On June 29, 2022, threat research company Hive Pro shared its advisory for the Black Basta Ransomware gang, marking it at threat level Red. The advisory claims that the Black Basta Ransomware has attacked over 50+ firms in 2022, even though it appeared in mid-2022.  

The advisory also shared the attack style of the threat actors, using the famous double extortion methods using the Qakbot infection. Once executed, the ransomware adds an .basta extension of the encrypted files, making it difficult for the system administrator to use those files again, and then delete the virtual shadow copies of the system using the vssadmin.exe executable file. 

Black Basta Ransomware gang has attacked companies in Australia, Canada, New Zealand, the United Kingdom and the United States. Its targets include companies in sectors such as manufacturing, construction, transportation, telcos, pharmaceuticals, cosmetics, plumbing and heating, automobile dealers, and more.