Black Basta Ransomware Gang Infiltrates networks via QAKBOT, Brute Ratel, and Cobalt Strike
Tactic / Technique
Notes
TA0001 Initial Access
T1566.001 Phishing: Spear phishing Attachment
Victims receive spear phishing emails with attached malicious zip files – typically password protected or HTML file. That file contains an ISO file.
T1566.001 Phishing: Spear phishing Link
QAKBOT has spread through emails with newly created malicious links.
TA0002 Execution
T1204.001 User Execution: Malicious Link
QAKBOT has gained execution through users accessing malicious link
T1204.002 User Execution: Malicious Link
QAKBOT has gained execution through users opening malicious attachments
T1569.002 System Services: Service Execution
Cobalt Strike can use PsExec to execute a payload on a remote host. It can also use Service Control Manager to start new services
T1059.005 Command and Scripting Interpreter: Visual Basic Script
QAKBOT can use VBS to download and execute malicious files
T1059.007 Command and Scripting Interpreter: JavaScript
QAKBOT abuses Wscript to execute a Jscript file.
TA0003 Persistence
T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
QAKBOT can maintain persistence by creating an auto-run Registry key
TA0004 Privilege Escalation
T1055 Process Injection
QAKBOT can inject itself into processes like wermgr.exe
TA0006 Defense Evasion
T1027.006 Obfuscated Files or Information: HTML Smuggling
Smuggles a file’s content by hiding malicious payloads inside of seemingly benign HTML files.
T1218.010 System Binary Proxy Execution: Regsvr32
QAKBOT can use Regsvr32 to execute malicious DLLs
Cobalt Strike can use rundll32.exe to load DLL from the command line
T1140. Deobfuscate/Decode Files or Information
Initial QAKBOT .zip file bypasses some antivirus detections due to password protections.
T1562.009. Impair Defenses: Safe Boot Mode
Black Basta uses bcdedit to boot the device in safe mode.
TA0007 Discovery
T1010 Application Window Discovery
QAKBOT can enumerate windows on a compromised host.
T1482 Domain Trust Discovery
QAKBOT can run nltest /domain_trusts /all_trusts for domain trust discovery.
T1135 Network Share Discovery
QAKBOT can use net share to identify network shares for use in lateral movement.
T1069.001 Permission Groups Discovery: Local Groups
QAKBOT can use net localgroup to enable the discovery of local groups
T1057 Process Discovery
QAKBOT has the ability to check running processes
T1018 Remote System Discovery
QAKBOT can identify remote systems through the net view command
T1082 System Information Discovery
QAKBOT can collect system information including the OS version and domain on a compromised host
T1016 System Network Configuration Discovery
QAKBOT can use net config workstation, arp -a, and ipconfig /all to gather network configuration information
T1049 System Network Connections Discovery
QAKBOT can use netstat to enumerate current network connections
T1033 System Owner/User Discovery
QAKBOT can identify the username on a compromised system
TA0008 Lateral Movement
T1021 Remote Services: SMB/Windows Admin Shares
Cobalt Strike can use Window admin shares (C$ and ADMIN$) for lateral movement
TA0011 Command and Control
T1071.001 Application Layer Protocol: Web Protocols
QAKBOT can use HTTP and HTTPS in communication with the C&C servers.
T1573. Encrypted Channel
Used by QAKBOT, BRUTEL and Cobalt Strike
TA0040 Impact
T1486. Data Encrypted for Impact
Black Basta uses the ChaCha20 algorithm to encrypt files. The ChaCha20 encryption key is then encrypted with a public RSA-4096 key that is included in the executable.
T1489. Service Stop
Uses sc stop and taskkill to stop services.
T1490. Inhibit System Recovery
Black Basta deletes Volume Shadow Copies using vssadmin tool.
T1491 – Defacement
Replaces the desktop wallpaper to display the ransom note.
Read More HERE