Researchers Study Evolution of Ransomware Gang UNC4393’s Campaigns After QAKBOT Takedown

The threat actor group UNC4393, known for deploying BASTA ransomware, has undergone continuous changes in its tactics since mid-2022. Researchers have tracked over 40 UNC4393 intrusions across 20 industries and about 500 victims on its data leak site to study the group’s operations and changes.

While the group initially relied on the QAKBOT botnet infection for access, the UNC4393 group adapted its methods following the internal crackdown on the QAKBOT network. The group has now switched to using custom-deployed malware and diverse initial access techniques.

UNC4393 Attribution, Targeting and Malware

UNC4393 is a financially motivated threat cluster, and the primary user of the BASTA ransomware. The group has primarily made use of initial access gained via UNC2633 and UNC2500 QAKBOT botnet infections to deploy BASTA ransomware in its campaigns.

Now researchers from Mandiant in a new study suspect BASTA operators maintain a private or small closed-invitation affiliate model, whereby only trusted third-party actors are provided with access to the BASTA encryptor.

The group has claimed hundreds of victims on its dark leak site within short intervals of time, proving its quick reconnaissance, data exfiltration and ransomware encryption objectives within a median time of approximately 42 hours. UNC4393 has transitioned from readily available tools to custom malware development. Their arsenal includes:

• BASTA: A C++ ransomware that encrypts files using ChaCha20 or XChaCha20.
• SYSTEMBC: A tunneler that retrieves proxy-related commands from a command-and-control server.
• KNOTWRAP: A memory-only dropper that executes additional payloads.
• DAWNCRY: A dropper that decrypts embedded resources, including DAVESHELL and PORTYARD.
• PORTYARD: A tunneler establishing connections to command-and-control servers.

Researchers note that while the group traditionally avoided attacks on healthcare institutions, recent breaches of the sector may suggest an expansion of attack interests.

Shifting Access Methods and Partnerships

Following the QAKBOT infrastructure takedown, UNC4393 diversified its initial access methods:

• DARKGATE: Briefly used for access via phishing campaigns.
• SILENTNIGHT: A C/C++ backdoor delivered through malvertising, marking a shift from phishing-only tactics.

For internal reconnaissance, the group employs open-source tools like BLOODHOUND and ADFIND, along with custom tools such as COGSCAN, a .NET-based reconnaissance assembly.

After gaining access, UNC4393 combines living-off-the-land techniques with custom malware. They frequently use DNS BEACON with unique domain-naming conventions for establishing and maintaining footholds in target environments. UNC4393 has demonstrated willingness to cooperate with multiple distribution clusters and affiliates to achieve its goals.

The group has shown a keen willingness to diversify and optimize its operations, through its change in the kind of malware deployed to various strategic partnerships with initial access brokers. However, the researchers note that while the group’s dark leak site has been among the most active in the ones they track, the number of victims that had been claimed on the site had declined over recent months, and conclude that with less than a week remaining in the month, any significant change to this decline is unlikely.

The researchers still stress the group’s quick operational tempo and multi-faceted extortion techniques as a challenge for defenders, and a list of potential indicators of compromise (IOCs) has been uploaded to VirusTotal to help organizations mitigate against the threat.