Updated on 2022-11-25: Black Basta + Qakbot
Cybereason researchers are reporting on malware infection killchains where victims were initially infected with the Qakbot trojan before they got ransomed by the Black Basta ransomware crew. Read more: THREAT ALERT: Aggressive Qakbot Campaign and the Black Basta Ransomware Group Targeting U.S. Companies
“To make the recovery more difficult, the threat actor also locked the victim out of the network by disabling DNS services. We observed this tactic used on more than one victim.”
Updated on 2022-11-20
Securonix researchers have published a report on the recent updates to the QakBot (Qbot) malware code. For the technical only. Read more: Securonix Threat Labs Security Advisory: Qbot/QakBot Malware’s New Initial Execution Uses Grifted Regsvr32 Binary to Run DLL Payload
Updated on 2022-11-18
Phishing emails deploying QBot have resorted to abusing a DLL hijacking vulnerability in Windows 10 Control Panel, as a means to evade detection by security solutions. Read more: QBot phishing abuses Windows Control Panel EXE to infect devices
Updated on 2022-11-04: Black Basta linked to FIN7
In a report on Thursday, SentinelOne researchers linked the Black Basta ransomware operation, which launched in April 2022, to the FIN7 cybercrime cartel. Previously, in a report last year, Microsoft said that a FIN7 subgroup—named Elbrus— created and ran the Darkside and BlackMatter RaaS operations as well. Read more: Black Basta Ransomware | Attacks Deploy Custom EDR Evasion Tools Tied to FIN7 Threat Actor
Today @cglyer & I are having an on-stage reunion to give the first public insights into our mysterious #MSTIC counter-ransomware unit.
We will share #ELBRUS 🌋 (overlaps: FIN7) ties to ransomware and expose their new front company.
20 minute talk @ 2pm ET: https://t.co/unQs5yE3DG pic.twitter.com/2xAEiHLWGp
— Nick Carr (@ItsReallyNick) October 7, 2021
Updated on 2022-11-03
Sentinel Labs researchers linked the Black Basta ransomware gang to FIN7, based on the use of the EDR tool developed by FIN7 by Black Basta. Read more: Black Basta Ransomware | Attacks Deploy Custom EDR Evasion Tools Tied to FIN7 Threat Actor
Updated on 2022-10-31
QAKBOT: Trend Micro has a report out on the QAKBOT trojan and its use of valid certificates to sign some of its modules, a technique the botnet has used all summer long. Read more: Where is the Origin?: QAKBOT Uses Valid Code Signing
“A look at the abused certificates also reveals that they were not issued to non-existent organizations for abuse, but rather valid certificates issued to real existent organizations through proper process.”
Updated on 2022-10-27
ASEC analysis team discovered Qakbot disseminated to Korean users via ISO files, with a new detection bypass mechanism. Its distribution process is the same as that of IcedID and Bumbleebee i.e. hijacking email threads. Read more: Qakbot Malware Being Distributed in Korea
Updated on 2022-10-24: Black Basta ransomware
Check Point has a technical breakdown of the Black Basta ransomware code. Read more: Black Basta and the Unnoticed Delivery
Updated on 2022-10-17: QBot infects over 800 corporate users in new, ongoing campaign
Kaspersky is warning that QBot, aka Qakbot, an information stealer with a backdoor and self-spreading capabilities, has infected at least 800 corporate users in the U.S., Germany, Italy and India, since late-September. QBot exploited the Follina vulnerability earlier this year, but the malware is also known to hijack email threads in an effort to trick unsuspecting victims into downloading and installing the malware. Keep an eye out for suspicious emails. Read more: QBot Malware Infects Over 800 Corporate Users in New, Ongoing Campaign
Updated on 2022-10-14: Black Basta via QAKBOT
A Trend Micro report describes how recent infections with the QAKBOT malware deploy Brute Ratel or Cobalt Strike payloads within minutes of entering a system. Trend Micro linked these attacks to the threat actor behind the Black Basta ransomware. Read more: Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike
Updated on 2022-10-12
Trend Micro investigation revealed that the Black Basta ransomware gang has adopted the QAKBOT-to-Brute Ratel-to-Cobalt Strike kill chain, as their TTPs and infrastructure overlapped with each other. Read more: Black Basta Ransomware Gang Infiltrates networks via QAKBOT, Brute Ratel, and Cobalt Strike
Updated on 2022-09-28
A U.S. subsidiary of Elbit Systems confirmed suffering a ransomware attack, months after the Black Basta ransomware group listed it on its leak site as one of its victims. The data compromised included employee names, addresses, SSNs, dates of birth, direct deposit information, and ethnicity. However, documents shared by the attackers as proof of the hack contained confidentiality agreements, an audit report, and a payroll report.
Updated on July 2022
A Trend Micro report details new tactics employed by Black Basta affiliates, who are now using the QakBot trojan for initial access into corporate networks and the PrintNightmare to expand their access.
Security researchers from Zscaler said in a report this week that the rising number of infections seen in recent months from the Qakbot (QBot, QuackBot, Pinkslipbot) botnet can be traced back to the deployment of several new evasion detection techniques. This includes the use of ZIP files to hide their payloads, new code obfuscation methods, and the use of unknown file extensions (OCX, ooccxx, dat, or gyp) to deliver payloads.
Updated on June 2022
Security firm Cybereason has published a report on the Black Basta ransomware. The report echoes previous findings from IBM X-Force, Trend Micro, and NCC Group, including that Black Basta members are connected to the now-defunct Conti gang, something the Conti group tried to “formally deny” a few weeks back.
NCC Group researchers have published a technical report on the operations of the Black Basta ransomware. Trend Micro and IBM also published reports on the same gang in previous weeks. NCC Group’s findings confirm Trend Micro’s assessment that many Black Basta infections originate from initial infections with the QakBot trojan. In addition, Uptycs also published its own report on this ransomware strain, analyzing the Linux version of the ransomware that can target VMWare ESXi servers.
Updated on May 2022
Trend Micro has published a report on the new Black Basta ransomware operation, believed to have splintered off from the old Conti gang.
Updated on March 2022: Qakbot is Hijacking eMail Threads
According to a report from Sophos, the Qakbot botnet is now hijacking email conversations to spread malware. The malware operators inject messages into existing email threads in an attempt to trick users into downloading the malware. Qakbot has been known since 2008, when it was a Trojan designed to steal bank account access credentials.
- Qakbot operates on the endpoint, stealing credentials for accessing email, as well as accessing websites to upload their malware payloads to help spread itself or added functions on behalf of other malicious actors. Enable MFA on your email accounts, make sure authentication tokens expire, triggering a re-authentication. Do not allow reusable passwords when accessing services from non-corporate systems or the Internet.
- Qakbot focuses on initial access and brokers that access to other threat actors with varying objectives spanning from ransomware to intellectual property theft. Keeping up with the latest tactics, techniques, and procedures is important so your organization can test, measure, and improve the detection and response.
Read more in
- Watch out for this phishing attack that hijacks your email chats to spread malware
- Qakbot Botnet Sprouts Fangs, Injects Malware into Email Threads
- Qakbot injects itself into the middle of your conversations
The American subsidiary of Elbit Systems disclosed suffering a data breach after the Black Basta ransomware gang claimed responsibility. The data breach occurred on June 08 and affected 369 people. Read more: Defense firm Elbit Systems of America discloses data breach