Cybereason researchers identified widespread Qakbot (QBot or Pinkslipbot) campaigns targeting U.S.-based companies. The Black Basta ransomware gang is behind these recent campaigns.
Campaign highlights
Since mid-November, the Black Basta gang has been using spam or phishing emails to distribute malicious URL links or disk image files.
- These URLs or files deliver Qakbot to create an initial point of entry to maintain a presence on victims’ networks.
- On opening URLs/files, Qakbot is executed, which connects to a remote server to retrieve the Cobalt Strike payload. Cobalt Strike is being used to gain domain administrator privileges remotely during the compromise.
- At this stage, credential harvesting and lateral movement activities are carried out to place the malicious frameworks on several servers to accomplish their assigned tasks.
Finally, Black Basta ransomware is deployed and the attackers attempt to disable security mechanisms, such as EDR sensors and antivirus software, to avoid detection.
Aftermath
- Black Basta generates the ransom note file (readme.txt) in every folder it encrypts. Subsequently, Black Basta starts encrypting the files on the machine and adds a random extension to each file.
- It replaces the desktop wallpaper, avoids some specific folders, and deletes the machine’s shadow copies. In addition, the group locks the victim out of the network by disabling DNS services to make recovery challenging.
Black Basta + Qakbot: Another recent campaign
- In October, Trend Micro disclosed that Black Basta was infiltrating networks via Qakbot to deploy Brute Ratel C4, which, in turn, was leveraged to drop Cobalt Strike.
- It seems the attackers evolved the campaigns by cutting out Brute Ratel C4 from the equation and Qakbot to directly distribute Cobalt Strike on several machines in the infected environment.
Conclusion
These latest campaigns with modifications indicate threat actors are aggressively using Qakbot as an access-as-a-service malware. Moreover, such ties between major threat groups indicate that the attackers are actively working towards improving their tactics and efficacy. Thus, security teams should keep an eye out for such campaigns and take precautions to detect and prevent Qakbot post-exploitation activities and Black Basta infections.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/9f4a_shutterstock_1399145354.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_182947934.jpg)
