During the latter part of Q4 2022, ReliaQuest detected a security breach in a customer's system. An intruder gained entry into the network, rapidly escalated their privileges, and maneuvered laterally, eventually securing a foothold in just 77 minutes. While the foothold was successfully eliminated, the incident highlights some crucial takeaways. Among which is the use of QBot to gain initial access and the subsequent groundwork layout for the Black Basta ransomware.

Diving into details

Initial access was achieved through a phishing email on the end users’ inboxes, which ultimately dropped QBot. 
  • The attackers executed the malware via HTML Smuggling, an attack strategy QBot has been observed implementing previously in December 2022. 
  • They, moreover, used alternative HTTPs channels to communicate and maintain their position within the network. Subsequently, they deployed and configured remote access software Splashtop, AnyDesk, and Atera. 

How does it lead to Black Basta?

Black Basta is a splinter group that emerged following the dismantling of Conti, with its members transitioning to other ransomware programs.
  • Based on the reported Qbot activity, the perpetrator's behavior suggests a potential affiliation with the Black Basta RaaS, known for its involvement in such intrusions.
  • In addition to the above, the use of commercial remote access software—especially AnyDesk and Atera—is associated with Conti ransomware actors. 
  • Previously, in November 2022, Black Basta was observed deploying QBot to target U.S.-based organizations. 

Stay safe

Ransomware continues to be the topmost cyber threat to organizations even in 2023, although the threat is being scrutinized by governments worldwide. In order to stay safe from QBot infections, researchers recommend hardening perimeter security, restricting the use of remote access software, and ensuring proper backup and security.
Cyware Publisher

Publisher

Cyware