Researchers have recently observed the Black Basta ransomware group using several new methods to deploy Brute Ratel. These methods include the use of SmokeLoader, Emotet, and malicious spam.
Multiple distribution methods
In this campaign, the Black Basta ransomware group used Cobalt Strike and Brute Ratel tools. Trend Micro observed QAKBOT (using the Obama distributor ID prefix) dropping Brute Ratel C4 as a second-stage payload. The malware arrived as a password-protected ZIP file spread via HTML smuggling. For the first time, researchers witnessed Brute Ratel malware being delivered as a second-stage payload, via QAKBOT infection.
How does it work?
The attack campaign starts via a spam email (using two IDs: BB and Obama20x), laden with a malicious new URL sent to potential victims. The landing page displays a password to open the ZIP file sent to the recipient.
- The ZIP file includes a single ISO file (various files and directories), which is believed to be an attempt to bypass the Mark of the Web (MOTW). This MOTW added as a tag to the files downloaded from the internet, is often used by security solutions for additional security measures.
- The various files and directories in ISO file are identified as Accounting#7405[.]iso, Contract[.]lnk, fodder[.]txt, enunciatedNaught[.]cmd, eyelid[.]png, reflectiveness[.]db, and sharpOutvotes[.]js.
- QAKBOT malware uses obfuscation across two script files, a JavaScript (.js) file and a Batch Script (.cmd) file, believed to be a measure to hide suspicious-looking command lines.
C2 communications
The C2 infrastructure is spread across compromised hosts residing in predominantly residential ISP broadband networks.
- The C&C servers reside across Brazil, Afghanistan, Algeria, Argentina, Austria, Canada, Bulgaria, Chile, Egypt, India, Colombia, Indonesia, and Japan.
- Most of these Tier 1 C2 servers are used as disposable resources by QAKBOT operators and replaced almost every time new malware is distributed. However, some servers are used persistently across multiple QAKBOT configurations.
Conclusion
Organizations should be aware of cybercriminals' use of Cobalt Strike and Brute Ratel. These tools blend well within the targeted environment and are difficult to trace for malicious activities. Organizations are suggested to use Managed Detection and Response (MDR), which leverages advanced artificial intelligence to correlate and prioritize threats. It can identify malware before they are run, thus stopping further compromise.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/b6b1_shutterstock_583824274.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/a530_shutterstock_1200209332.jpg)
