A newcomer on the ransomware scene has coopted a 14-year-old malware variant to help it maintain persistence on a targeted network in a recent attack, researchers have found.
Black Basta, a ransomware group that emerged in April, leveraged Qbot, (a.k.a. Quakbot), to move laterally on a compromised network, researchers from security consulting firm NCC Group wrote in a blog post published this week. Researchers also observed in detail how Black Basta operates.
Qbot emerged in 2008 as a Windows-based info-stealing trojan capable of keylogging, exfiltrating cookies, and lifting online banking details and other credentials. Since then it has stood the test of time through constant evolution, morphing into sophisticated malware with clever detection-evasion and context-aware delivery tactics, as well as phishing capabilities that include e-mail hijacking, among others.
Black Basta is, in contrast, a relative baby when it comes to cyber-criminality. The first reports of an attack by the ransomware group occurred only a few months ago.
Black Basta, like many others of its kind, uses uses double-extortion attacks in which data is first exfiltrated from the network before the ransomware is deployed. The group then threatens to leak the data on a Tor site that it uses exclusively for this purpose.
Qbot in the Mix
It’s not unusual for ransomware groups to leverage Qbot in the initial compromise of a network. However, Black Basta’s use of it appears to be unique, researchers said.
“The seriousness and efficiency of the collaboration cannot be underestimated,” observed Garret Grajek, CEO of security firm YouAttest, who said in an email to Threatpost that the finding also ups the ante in terms of how organizations must protect themselves.
NCC Group discovered the attack when they noticed a text file in the C:\Windows\ folder named pc_list.txt that was present on two compromised domain controllers, they said.
“Both contained a list of internal IP addresses of all the systems on the network,” researchers wrote. “This was to supply the threat actor with a list of IP addresses to target when deploying the ransomware.”
Once the ransomware group gained access to the network and created a PsExec.exe in the C:\Windows\folder, it used Qbot remotely to create a temporary service on a target host, which was configured to to execute a Qakbot DLL using regsvr32.exe, researchers wrote.
To proceed with lateral movement, Black Basta then used RDP along with the deployment of a batch file called rdp.bat–which contained command lines to enable RDP logons. This allowed the threat actor to establish remote desktop sessions on compromised hosts, which occurred even if RDP was disabled originally, researchers said.
Evasion Tactics and Ransomware Execution
Researchers managed to observe specific characteristics of a Black Basta attack in their investigation of the incident, including how it evades detection as well as executes ransomware on the compromised system, they said.
The group commences nefarious activity on a network even before it deploys ransomware by establishing RDP sessions to Hyper-V servers, modifying configurations for the Veeam backup jobs and deleting the backups of the hosted virtual machines, researchers said. It then uses WMI (Windows Management Instrumentation) to push out ransomware, they said.
During the attack, two specific steps also were taken as evasion tactics to prevent detection and disable Windows Defender. One was to deploy the batch script d.bat locally on compromised hosts and execute PowerShell commands, while another involved creating a GPO (Group Policy Object) on a compromised Domain Controller. The latter would push out changes to the Windows Registry of domain-joined hosts to slip through protections, researchers said.
Once it’s deployed, Black Basta ransomware itself, like many ransomware variants, doesn’t encrypt the entire file, researchers found. Instead, it “only partially encrypts the file to increase the speed and efficiency of encryption,” by encrypting 64-byte blocks of a file interspaced by 128-bytes, they wrote.
To modify files, the group also uses an earlier-generated RSA encrypted key and 0x00020000, which are appended to the end of the file to be used later for decryption purposes, researchers said. Following successful encryption of a file, its extension is changed to .basta, which automatically adjusts its icon to the earlier drop icon file, they added.