Threat Research

Black Basta | Malware Trends Monitor

Securonix

Black Basta is a ransomware-as-a-service operated by Storm-1811 that uses double extortion, stealing data before encryption and threatening disclosure if a ransom is not paid (up to $2 million). The piece outlines the infection chain, technical techniques, and sandbox-based defenses, including the use of ANY.RUN for analysis. #BlackBasta #Storm-1811 #QakBot #CobaltStrike #ANY.RUN

Keypoints

  • Black Basta operates as a ransomware-as-a-service run by the Storm-1811 group and employs double extortion (data theft plus encryption).
  • Initial access often relies on compromised credentials or QakBot/QakBot-driven infections, frequently beginning with spear-phishing.
  • Post-entry, actors move laterally using PsExec, Windows Management Instrumentation (WMI), and RDP to spread within networks.
  • Before encryption, sensitive data is exfiltrated with tools like Cobeacon; later, data is encrypted with a hybrid ChaCha20/RSA-4096 scheme and files gain a .basta extension.
  • Shadow copies are deleted (vssadmin) to hinder recovery, and startup persistence is achieved by registry modification; PowerShell is used to disable defenses and obfuscation is employed in newer variants.
  • Threat actors leverage social engineering (including Quick Assist) and rely on QakBot for initial access and Cobalt Strike for scanning and lateral movement.
  • Latest variants exploit CVE-2024-1709 to facilitate exploitation, with lateral movement via PsExec and Cobalt Strike across the network.

MITRE Techniques

  • [T1078] Initial Access – Compromised credentials used to gain access to target systems. Quote: ‘Compromised credentials used to gain access to target systems.’
  • [T1566.001] Phishing – Spear-phishing campaigns to deliver malicious attachments or links. Quote: ‘spear-phishing campaigns. These campaigns involve sending targeted emails to victims, often disguised as legitimate correspondence.’
  • [T1583.001] Acquire Infrastructure – Collaboration with Initial Access Brokers (IABs) to acquire access to hacked networks. Quote: ‘The latest attacks featuring Black Basta also include vishing, or voice phishing. This involves the impersonation of tech support or help desk personnel.’
  • [T1203] Execution – Execution of malicious macros in Excel documents to initiate the infection process. Quote: ‘attacks begin with the victim unsuspectingly downloading an Excel document with macros. The attack then leads to the malware download and installation process.’
  • [T1047] Windows Management Instrumentation – Windows Management Instrumentation (WMI) used to move across the network. Quote: ‘tools like PsExec, Windows Management Instrumentation (WMI), and RDP to move across the network.’
  • [T1021.001] Remote Services – Lateral movement via remote access tools (e.g., Quick Assist/RDP). Quote: ‘The attackers use Quick Assist, a legitimate program for remote connection, to gain remote access to the victim’s system.’
  • [T1547.001] Registry Run Keys/Startup Folder – Modify registry to run at startup. Quote: ‘to gain elevated privileges within the system’ (via registry changes) or ‘modify the registry to run automatically upon system startup.’
  • [T1068] Privilege Escalation – Hijacking the legitimate system process ‘Fax’ to gain elevated privileges. Quote: ‘hijacking the legitimate system process ‘Fax’ to gain elevated privileges.’
  • [T1562.001] Impair Defenses – Disabling active antivirus software using PowerShell commands. Quote: ‘Disabling active antivirus software using PowerShell.’
  • [T1027] Obfuscated/Compressed Files and Information – Advanced obfuscation techniques to evade detection. Quote: ‘advanced obfuscation techniques to evade detection.’
  • [T1003] Credential Access – Collection of stored credentials from the compromised system. Quote: ‘Collection of stored credentials from the compromised system.’
  • [T1041] Exfiltration – Exfiltration of sensitive data before deploying ransomware using tools like Cobeacon. Quote: ‘Exfiltration of sensitive data before deploying ransomware using tools like Cobeacon.’
  • [T1486] Data Encrypted for Impact – Hybrid encryption scheme (ChaCha20 + RSA-4096). Quote: ‘hybrid encryption scheme combining ChaCha20 for file encryption with RSA-4096 for encrypting the encryption key.’
  • [T1485] Data Destruction – Deletion of shadow copies using ‘vssadmin’ to prevent recovery. Quote: ‘deletes Windows shadow copies via ‘vssadmin’ to prevent recovery.’

Indicators of Compromise

  • [Domain/URL] Tor address – used to provide victims with a login portal for decryption and ransom notes. Example: Tor address mentioned in victim documents.
  • [File extension] .basta – files encrypted by Black Basta gain the .basta extension. Example: examplefile.basta
  • [Tool/Software] QakBot – used to gain initial foothold (phishing and macros). Example: QakBot referenced as a means of initial access.
  • [Tool/Software] PsExec – used for lateral movement across the network. Example: PsExec mentioned for network propagation.
  • [Tool/Software] Cobalt Strike – used for scanning and lateral movement. Example: Cobalt Strike referenced for system discovery and movement.
  • [Tool/Software] Quick Assist – used for social-engineering remote access. Example: Quick Assist described as a tool attackers use to gain remote control.
  • [File name] Excel documents with macros – infection vector leading to malware download. Example: malicious Excel document with macros.
  • [CVE] CVE-2024-1709 – exploited vulnerability in newer variants. Example: CVE-2024-1709 mentioned as being exploited.

Read more: https://any.run/malware-trends/blackbasta/?utm_source=twitter&utm_medium=post&utm_campaign=blackbasta&utm_content=blog&utm_term=220724

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint