web analytics

Black Basta Ransomware Uses MS Teams, Email Bombing to Spread Malware – Source:hackread.com

black-basta-ransomware-uses-ms-teams,-email-bombing-to-spread-malware-–-source:hackread.com
Rate this post

Source: hackread.com – Author: Deeba Ahmed.

    SUMMARY

    • Black Basta Campaign Resurgence: Rapid7 researchers report a sophisticated social engineering campaign by the Black Basta ransomware group, refining tactics and targeting organizations globally.
    • Enhanced Tactics: Attackers use email bombing, impersonation via Microsoft Teams, and tools like QuickAssist and AnyDesk to gain remote access, bypass MFA, and execute malicious payloads.
    • Malicious Tools: Threat actors deploy tools like Zbot and DarkGate for credential harvesting, data exfiltration, and persistence before delivering Black Basta ransomware.
    • Improved Payload Delivery: Updated techniques include obfuscation with custom packers, DLL execution via rundll32.exe, and advanced evasion strategies.
    • Mitigation Strategies: Organizations should adopt stronger password policies, provide security training, and implement advanced defences to mitigate ransomware threats.

    Cybersecurity researchers at Rapid7 have released a new report detailing its investigation of a sophisticated social engineering campaign launched by the infamous Black Basta ransomware group (aka UNC4393), threatening organizations worldwide. 

    Researchers have observed a resurgence of activity in relation to Black Basta ransomware operators’ currently ongoing social engineering campaign, first reported in May 2024 and updated in August 2024.

    The attackers have now refined their early stages procedures, including new malware payloads, improved delivery, and increased defence evasion, with lures sent via Microsoft Teams.

    Reportedly, the campaign begins with email bombing in which a series of emails are sent to overwhelm potential victims, typically achieved by signing up users’ emails to multiple mailing lists simultaneously. Attackers impersonate IT support personnel offering assistance and tricking users into granting remote access to their systems. Microsoft Teams is used to establish initial contact whereas Azure/Entra tenant subdomains and custom domains are utilized as account domains.

    Potential targets are tricked into installing/executing remote management tools like QuickAssist, AnyDesk, TeamViewer, Level, or ScreenConnect. Threat actors also use the OpenSSH client to establish a reverse shell, or, share a QR code with the user, probably to bypass MFA (multi-factor authentication) after stealing their credentials.

    As soon as they gain access, the attackers deploy a range of malicious tools for credential harvesting, lateral movement, and data exfiltration.  A custom packer is used to obfuscate various payloads, including Zbot, and DarkGate, to steal sensitive information and establish persistence on the system. The ultimate goal, however, is to deploy the Black Basta ransomware itself, to encrypt critical data and demand a ransom payment. 

    Black Basta Ransomware Uses MS Teams, Email Bombing to Spread Malware
    One of the malicious QR codes used by the attackes (Via Rapid7)

    For your information, DarkGate is a powerful malicious shellcode that can perform a wide range of malicious actions, including stealing information, establishing persistence, and re-infecting compromised machines by establishing a backdoor.

    Zloader/Zbot, conversely, is a sophisticated trojan that steals login credentials, credit card information, and personal data, downloads and executes additional malware payloads, establishes persistence on the infected system and communicates with command-and-control servers.

    Compared to Rapid7’s previously detected attacks, researchers noted some similarities and some unique approaches in this campaign:

    “Rapid7 has observed usage of the same credential harvesting executable, previously reported as AntiSpam.exe, though it is now delivered in the form of a DLL and most commonly executed via rundll32.exe. Whereas before it was an unobfuscated .NET executable, the program is now commonly contained within a compiled 64-bit DLL loader,” the blog post revealed.

    To mitigate the risk of such attacks, organizations must improve their security measures, including implementing stronger password protection mechanisms, regular security awareness training for employees, and advanced security solutions.

    1. Telecom Giant BT Group Hit by Black Basta Ransomware
    2. Russian Midnight Blizzard Hits MS Teams in Precision Attack
    3. Iranian Hackers Target Microsoft 365 with MFA Push Bombing
    4. Storm-0324 Exploits MS Teams Chats for Ransomware Attacks
    5. Vietnamese DarkGate Malware Targets META Accounts Worldwide

    Original Post url: https://hackread.com/black-basta-gang-ms-teams-email-bombing-malware/

    Category & Tags: Security,Cyber Attacks,Malware,Black Basta,Cybersecurity,DarkGate,Microsoft Teams,Ransomware,Vulnerability,Zbot – Security,Cyber Attacks,Malware,Black Basta,Cybersecurity,DarkGate,Microsoft Teams,Ransomware,Vulnerability,Zbot

    Views: 5

    LinkedIn
    Twitter
    Facebook
    WhatsApp
    Email

    advisor pick´S post

    Codrut Andrei
    Secure Software Development Lifecycle Fundamentals by Codrut Andrei
    Secure Software Development Lifecycle Fundamentals...
    BUTTERWORTH-HEINEMANN
    Security Operations Center Guidebook – A Practical Guide for a Successful SOC
    Security Operations Center Guidebook –...
    CISO Forum
    CISO’s – First 100 Days Roadmap – Your success as a security leader is determined largely by your first 100 days in the role.
    CISO’s – First 100 Days...
    RedHat
    State of Kubernetes Security Report 2022 by RedHat
    State of Kubernetes Security Report...
    National Cyber Security
    Cyber Security Toolkit for Boards – Helping board members to get to grips with cyber security by NCSC
    Cyber Security Toolkit for Boards...
    Harvard Business Review
    Boards Are Having the Wrong Conversations About Cybersecurity – Board interactions with the CISO are lacking – by Lucia Millica and Keri Pearlson – Harvard Business Review
    Boards Are Having the Wrong...
    Vendict
    The 2024 CISO Burnout Report by Vendict
    The 2024 CISO Burnout Report...
    Mohammad Alkhudari
    Cybersecurity Strong Strategy step by step Guide collected by Mohammad Alkhudari 2024
    Cybersecurity Strong Strategy step by...
    Marcos Jaimovich
    The Silent Spectre Haunting Your Network: QPhishing, the CISO’s Unspoken Nightmare.
    The Silent Spectre Haunting Your...
    Marcos Jaimovich
    Goodbye to Traditional: Why Conventional Cybersecurity Tools are No Longer Sufficient for the Future of Digital Threats ?
    Goodbye to Traditional: Why Conventional...
    Marcos Jaimovich
    Why do we compare a SOC (Security Operations Center) with the cockpit of a commercial airplane? by Marcos Jaimovich
    Why do we compare a...
    Joas Antonio
    Security Operations Center (SOC) – Tools for Operations Development by Joas Antonio
    Security Operations Center (SOC) –...

    LASTEST PUBLISHED POSTS

    Cyberint
    Retail Threat Landscape Report Q1-Q3 – November 2024 Summary by Cyberint a Check Point Company
    Retail Threat Landscape Report Q1-Q3...
    NCSC
    Protecting Critical Supply Chains – A Guide to Securing your Supply Chain Ecosystem
    Protecting Critical Supply Chains –...
    Culture AI
    Time to Adapt – The State of Human Risk Management in 2024 by Culture AI.
    Time to Adapt – The...
    National Cyber Security Centre
    Engaging with Boards to improve the management of cyber security risk.
    Engaging with Boards to improve...
    Microsoft Security
    2024 State of Multicloud Security Report by Microsoft Security
    2024 State of Multicloud Security...
    bugcrowd
    Inside the Mind of a CISO 2024 The Evolving Roles of Security Leaders 2024 by bugcrowd
    Inside the Mind of a...
    Mohammad Alkhudari
    Cybersecurity Strong Strategy step by step Guide collected by Mohammad Alkhudari 2024
    Cybersecurity Strong Strategy step by...
    Lacework
    CISO’s Playbookto Cloud Security by Lacework
    CISO’s Playbookto Cloud Security by...
    MITRE - Carson Zimmerman
    Ten Strategies of a World-Class Cybersecurity Operations Center by MITRE
    Ten Strategies of a World-Class...
    SILVERFRONT - AIG
    Identity Has Become the Prime Target of Threat Actors by Silverfort AIG.
    Identity Has Become the Prime...
    CYZEA.IO
    Enterprise Information Security
    Enterprise Information Security
    IGNITE Technologies
    ENCRYPTED REVERSE
    ENCRYPTED REVERSE

    More Latest Published Posts

    WORLD BANK GROUP
    Global Cybersecurity Capacity Program
    Global Cybersecurity Capacity Program
    Gary Hinson
    Getting started withsecurity metrics
    Getting started withsecurity metrics
    EDPS
    Generative AI and the EUDPR.
    Generative AI and the EUDPR.
    Bright
    2024 Guide to Application Security Testing Tools
    2024 Guide to Application Security Testing Tools
    HADESS
    Hacker Culture
    Hacker Culture
    Quuensland Govermment
    RISK ASSESSMENT PROCESS HANDBOOK
    RISK ASSESSMENT PROCESS HANDBOOK
    Ministry of MOS Security
    HIPAA SIMPLIFIED
    HIPAA SIMPLIFIED
    Hacker Combat
    How Are Passwords Cracked?
    How Are Passwords Cracked?
    CIS - Center for Internet Security
    How to Plan a Cybersecurity Roadmap in Four Steps
    How to Plan a Cybersecurity Roadmap in Four Steps
    ACSC Australia
    Information Security Manual
    Information Security Manual
    Kaspersky
    Incident Response Playbook: Dark Web Breaches
    Incident Response Playbook: Dark Web Breaches
    ninjaOne
    Endpoint Hardening Checklist
    Endpoint Hardening Checklist
    HADESS
    Important Active Directory Attribute
    Important Active Directory Attribute
    ISA GLOBAL CYBERSECURITY ALLIANCE
    IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards
    IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards
    Rajneesh Gupta
    IAM Security CHECKLIST
    IAM Security CHECKLIST
    sqrrl
    Hunt Evil
    Hunt Evil
    Searchinform
    How to protect personal data and comply with regulations
    How to protect personal data and comply with regulations
    Giuseppe Manco
    Threat Intelligence Platforms
    Threat Intelligence Platforms
    CSA Cloud Security Alliance
    Hardware Security Module(HSM) as a Service
    Hardware Security Module(HSM) as a Service
    IGNITE Technologies
    CREDENTIAL DUMPING FAKE SERVICES
    CREDENTIAL DUMPING FAKE SERVICES
    IGNITE Technologies
    A Detailed Guide on Covenant
    A Detailed Guide on Covenant
    NIST
    Computer Security Incident Handling Guide
    Computer Security Incident Handling Guide
    IGNITE Technologies
    DIGITAL FORENSIC FTK IMAGER
    DIGITAL FORENSIC FTK IMAGER
    Accedere
    Cloud Security Assessment
    Cloud Security Assessment
    YL VENTURES
    CISO Reporting Landscape 2024
    CISO Reporting Landscape 2024
    CISO Edition
    Reporting Cyber Risk to Boards
    Reporting Cyber Risk to Boards
    CIOB
    CIOB Artificial Intelligence (AI) Playbook 2024
    CIOB Artificial Intelligence (AI) Playbook 2024
    INCIBE & SPAIN GOVERNMENT
    Nuevas normativas de 2024 de ciberseguridad para vehículos
    Nuevas normativas de 2024 de ciberseguridad para vehículos