Close Ties Between Black Basta Operation and FIN7 Revealed

A background into both groups

• FIN7 (also known as Carbanak) hacking group is often credited with innovating the crimeware ecosystem and taking attack TTPs to new heights beyond the schemes of its peers.
• Black Basta group, active since April, has breached over 90 organizations in well-organized attacks so far. However, it is still maintaining mystery about its origin, identity, and operations.

Commonality in FIN7 and Black Basta together

• FIN7 has been observed using the tool SocksBot, a custom Endpoint Detection and Response (EDR) evasion tool, which appears to be developed and exclusively used by Black Basta group as well.
• Moreover, the IP address used by Black Basta as C2 is hosted on the pq.hosting service, which is usually chosen by the FIN7 group for its attacks.
• In early 2022, FIN7 used a combination of Cobalt Strike and Meterpreter C2 frameworks for carrying out simulated malware-dropping attacks.
• Several months later, the same combination was used by Black Basta.
• Moreover, they both used the exact same custom tools, plugins, and delivery methods during their attacks, which further strengthens their connection.

SocksBot tool activities

• The tool successfully creates an illusion that Windows Defender is working normally, though it isn’t (during the infection).
• This allows for uninterrupted data exfiltration and the encryption process, while users remain unaware of the intrusion.
• It contains a packer packed with a SocksBot (aka BIRDDOG) sample that is developed and used by the Fin7 group since at least 2018.

Conclusion