Cybersecurity researchers speculate that the Black Basta ransomware group and FIN7 may be interlinked due to the similarity between the tools used by them. Based on the evidence, the security experts suggest that the custom defense impairment tool shares the same developer. Moreover, the identical BIRDDOG backdoor connecting to a C2 server at 45[.]67[.]229[.]148 was also used by FIN7 in multiple operations.
Modus Operandi of Black Basta
Black Basta often uses an obfuscated version of the AdFind tool called AF.exe. and then connects to the victim through a Qakbot backdoor. Within the root drive C:\ directory, files are named Intel or Dell. It then seeks local and domain-level privilege escalation using vulnerabilities, including ZeroLogon, NoPac, and PrintNightmare. Following a lateral movement, it deploys batch scripts, impacting different machines and leading to the impairment of the defense system.
Black Basta disabled the Windows Defender running the following scripts:
\Windows\ILUg69ql1.bat
\Windows\ILUg69ql2.bat
\Windows\ILUg69ql3.bat
Details of the similar backdoor used by Black Basta and FIN7 group
According to a research report by cybersecurity firm SentinelOne, the financially motivated group FIN7 also called Carbanak, showed similarities in its use of SocksBot or BIRDDOG, a backdoor employed by the Black Basta group. This was found after unpacking the unknown packer with the IP address 45[.]67[.]229[.]148, which was hosted on pq.hosting. Pq.hosting is a hosting provider used by both Black Basta and FIN7.
Detailed research of the samples points towards the conclusion that the updated packer used to pack the BIRDDOG backdoor connected to the packer “dll_crypt_86 and both are part of the crypt tool. Moreover, the samples sent to VirusTotal that were compiled on February 11, 2022, show that it was put together only two months before the BIRDDOG sample. VirusTotal is the free, URL and malware scanning service.
While FIN7 has been active since 2012, Black Basta, which needs administrative rights to execute, has been in action since April 2022. As per reports, Black Basta has been rebranding itself and claimed to attack over 90 organizations using its custom toolset.