Threat Research

Fake Zoom Ends in BlackSuit Ransomware

TheDFIR

The intrusion began with a fake Zoom installer delivering SectopRAT malware, followed by Cobalt Strike and Brute Ratel. The attacker moved laterally using QDoor proxy and RDP, exfiltrated data via cloud storage, then deployed BlackSuit ransomware across Windows systems. (Affected: Windows systems, Enterprise network)

Keypoints :

  • Initial access was gained through a malicious Zoom installer using d3f@ckloader and IDAT loader.
  • SectopRAT malware was injected into MSBuild.exe and communicated via Pastebin-supplied C2 IP.
  • After nine days, SectopRAT executed Brute Ratel followed by Cobalt Strike for reconnaissance and privilege escalation.
  • Lateral movement used remote services and RDP, employing the QDoor proxy tool to tunnel RDP connections.
  • Threat actor collected, archived, and exfiltrated files using WinRAR and the cloud SaaS platform Bublup.
  • Final stage was ransomware deployment of BlackSuit across multiple hosts using PsExec and batch scripts.
  • The attacker deleted shadow copies (VSS) to prevent recovery and displayed ransom notes on all infected machines.
  • Multiple C2 frameworks detected: SectopRAT, Brute Ratel, Cobalt Strike, and QDoor proxy communications.
  • Common Windows admin utilities (WMIC, net, nltest, attrib, systeminfo) were abused for discovery and execution.
  • The overall time to ransomware deployment was approximately nine days with extensive stealth techniques.

MITRE Techniques :

  • Drive-by Compromise (T1189) – Initial access via fake Zoom installer website.
  • Ingress Tool Transfer (T1105) – Downloading secondary payloads via batch scripts and ZIP archives.
  • Hidden Files and Directories (T1564.001) – Using attrib to hide malicious loader files.
  • MSBuild (T1127.001) – SectopRAT injected into MSBuild.exe for persistence and C2 communication.
  • Regsvr32 (T1218.010) – Executing Brute Ratel DLL payload via regsvr32.exe.
  • Windows Command Shell (T1059.003) – Execution of batch scripts for various stages.
  • Service Execution (T1569.002) – Using Cobalt Strike psexec_psh to install remote services.
  • Remote Desktop Protocol (T1021.001) – Leveraging RDP tunneled via QDoor for lateral movement.
  • Exfiltration to Cloud Storage (T1567.002) – Uploading archived data to Bublup cloud SaaS storage.
  • Archive via Utility (T1560.001) – Using WinRAR to compress stolen files before exfiltration.
  • Data Encrypted for Impact (T1486) – Deployment and execution of BlackSuit ransomware.
  • Inhibit System Recovery (T1490) – Deleting Volume Shadow Copies using vssadmin.
  • Network Share Discovery (T1135) – Enumerating file shares for data collection.
  • Credential Dumping: LSASS Memory (T1003.001) – Accessing LSASS memory for credentials via Cobalt Strike.
  • Domain Trust Discovery (T1482) – Commands like nltest to identify domain relationships and trusts.
  • Registry Run Keys / Startup Folder (T1547.001) – Persisting by creating startup entries.
  • PowerShell (T1059.001) – Base64 encoded payloads for lateral movement.
  • Protocol Tunneling (T1572) – Using QDoor proxy to tunnel RDP traffic.
  • Malicious File (T1204.002) – Execution of trojanized Zoom installer.
  • System Information Discovery (T1082) – Use of systeminfo and similar commands.
  • Local Groups and Accounts Discovery (T1069, T1087.001) – Commands to enumerate domain groups and users.

Indicator of Compromise :

  • The article mentions IP addresses tied to C2 servers for SectopRAT (e.g., 45.141.87.218:9000), Brute Ratel, Cobalt Strike, and QDoor.
  • File hashes for key malware files including EXE.bat, COPY.bat, 123.exe (BlackSuit ransomware), PsExec.exe, and svhost.exe (QDoor) are provided for detection.
  • User-Agent strings for C2 communications such as a specific Chrome browser signature used by Brute Ratel Badger DLLs.
  • Network signatures triggering IDS rules like ET MALWARE Arechclient2 Backdoor/SecTopRAT and ET POLICY Tunneled RDP msts Handshake.
  • URLs and domains involved in C2 infrastructure: megupdate.com, provincial-gaiters-gw.aws-use1.cloud-ara.tyk.io, zoommanager.com (malicious Zoom site).
  • Distinct batch script names (e.g., EXE.bat, COPY.bat) used for ransomware deployment indicate orchestration steps.
  • Evidence of suspicious downloads like WinRAR installers from known URLs (win-rar.com) and temporary file sharing site temp.sh.
  • Windows event IDs (4624, 4779) indicating unusual RDP and remote logon sessions linked to QDoor activity.

Read more: https://thedfirreport.com/2025/03/31/fake-zoom-ends-in-blacksuit-ransomware/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint