Summary: The BlackBasta ransomware operation has adapted its tactics by utilizing Microsoft Teams for social engineering attacks, impersonating corporate help desks to deceive employees into granting remote access. This evolution follows their previous strategy of overwhelming inboxes with benign emails before contacting victims directly through Teams.
Threat Actor: BlackBasta | BlackBasta
Victim: Corporations worldwide | corporations worldwide
Key Point :
- BlackBasta has shifted from traditional email phishing to using Microsoft Teams for social engineering attacks.
- The attackers impersonate IT help desk personnel to trick employees into installing remote access tools.
- They utilize external accounts with deceptive display names and may send QR codes linked to malicious domains.
- Once access is gained, they deploy various payloads, including Cobalt Strike, to facilitate further network infiltration.
- Organizations are advised to restrict external communications in Teams and enhance logging for suspicious activities.
The BlackBasta ransomware operation has moved its social engineering attacks to Microsoft Teams, posing as corporate help desks contacting employees to assist them with an ongoing spam attack.
Black Basta is a ransomware operation active since April 2022 and responsible for hundreds of attacks against corporations worldwide.
After the Conti cybercrime syndicate shut down in June 2022 following a series of embarrassing data breaches, the operation split into multiple groups, with one of these factions believed to be Black Basta.
Black Basta members breach networks through various methods, including vulnerabilities, partnering wish malware botnets, and social engineering.
In May, Rapid7 and ReliaQuest released advisories on a new Black Basta social engineering campaign that flooded targeted employees’ inboxes with thousands of emails. These emails were not malicious in nature, mostly consisting of newsletters, sign-up confirmations, and email verifications, but they quickly overwhelmed a user’s inbox.
The threat actors would then call the overwhelmed employee, posing as their company’s IT help desk to help them with their spam problems.
During this voice social engineering attack, the attackers trick the person into installing the AnyDesk remote support tool or providing remote access to their Windows devices by launching the Windows Quick Assist remote control and screen-sharing tool.
From there, the attackers would run a script that installs various payloads, such as ScreenConnect, NetSupport Manager, and Cobalt Strike, which provide continued remote access to the user’s corporate device.
Now that the Black Basta affiliate has gained access to the corporate network, they would spread laterally to other devices while elevating privileges, stealing data, and ultimately deploying the ransomware encryptor.
Moving to Microsoft Teams
In a new report by ReliaQuest, researchers observed Black Basta affiliates evolving their tactics in October by now utilizing Microsoft Teams.
Like the previous attack, the threat actors first overwhelm an employee’s inbox with email.
However, instead of calling them, the attackers now contact employees through Microsoft Teams as external users, where they impersonate corporate IT help desk contacting the employee to assist them with their spam problem.
The accounts are created under Entra ID tenants that are named to appear to be help desk, like:
securityadminhelper.onmicrosoft[.]com
supportserviceadmin.onmicrosoft[.]com
supportadministrator.onmicrosoft[.]com
cybersecurityadmin.onmicrosoft[.]com
“These external users set their profiles to a “DisplayName” designed to make the targeted user think they were communicating with a help-desk account,” explains the new ReliaQuest report.
“In almost all instances we’ve observed, the display name included the string “Help Desk,” often surrounded by whitespace characters, which is likely to center the name within the chat. We also observed that, typically, targeted users were added to a “OneOnOne” chat.”
ReliaQuest says they have also seen the threat actors sending QR codes in the chats, which lead to domains like qr-s1[.]com. However, they could not determine what these QR codes are used for.
The researchers say that the external Microsoft Teams users originate from Russia, with the time zone data regularly being from Moscow.
The goal is to once again trick the target into installing AnyDesk or launching Quick Assist so the threat actors can gain remote access to their devices.
Once connected, the threat actors were seen installing payloads named “AntispamAccount.exe,” “AntispamUpdate.exe,” and “AntispamConnectUS.exe.”
Other researchers have flagged AntispamConnectUS.exe on VirusTotal as SystemBC, a proxy malware that Black Basta used in the past.
Ultimately, Cobalt Strike is installed, providing full access to the compromised device to act as a springboard to push further into the network.
ReliaQuest suggests organizations restrict communication from external users in Microsoft Teams and, if required, only allow it from trusted domains. Logging should also be enabled, especially for the ChatCreated event, to find suspicious chats.