Check Point Research analyzes Black Basta’s delivery and evasion techniques, highlighting how the dropper and payload are prepared to bypass analysis and encrypt data while moving laterally. The piece details the delivery stages, anti-debug/anti-analysis tricks, the ChaCha20-RSA encryption pipeline, and automated network distribution characteristics. #BlackBasta #QakBot #CobaltStrike #Rufus
Keypoints
- Delivery stage focuses on stealthy dropper preparation designed to evade analysis and enable smooth ransomware execution.
- The dropper is digitally signed with a certificate from Akeo Consulting to resemble legitimate software (mimics USB bootable drive creation).
- Extensive anti-debug and anti-analysis techniques are implemented to defeat emulators, sandboxes, and debuggers.
- Data is hidden/obfuscated (data located before the PE header) to hinder automated memory and payload analysis.
- ChaCha20 is used for per-file encryption, with RSA sealing of the ChaCha20 key and the encrypted key appended to files.
- Automatic distribution within networks uses LDAP to discover workstations and SMB/WMI-based lateral movement (copy to remote machines and launch via COM/WMI).
- The campaign emphasizes targeted extortion, including ransom notes and shadow copy deletion to hinder recovery.
MITRE Techniques
- [T1036] Masquerading – The dropper mimics the application for creating USB bootable drives hosted on this site: ‘The Black Basta dropper mimics the application for creating USB bootable drives hosted on this site:’
- [T1116] Code Signing – The application is digitally signed with the same certificate (issued by “Akeo Consulting”) used for legitimate executables from the Rufus website: ‘The application is digitally signed with the same certificate (issued by “Akeo Consulting”) used for legitimate executables from the Rufus website:’
- [T1497.001] Virtualization/Sandbox Evasion – Anti-debug tricks implemented; if detected, the dropper stops its execution and quits without launching Black Basta: ‘If any of these techniques is successful in detecting a debugger and/or an emulation environment, the dropper stops its execution and quits without launching Black Basta.’
- [T1564.001] Hide Artifacts – Obscure dump: data located before the PE header of the ransomware to prevent automatic scanners from easily identifying the malicious payload: ‘data located before the PE header of the ransomware to prevent automatic scanners from easily identifying the malicious payload.’
- [T1486] Data Encrypted for Impact – Encryption using ChaCha20 with a per-file key, then RSA-protected key is appended to the file: ‘ChaCha20 stream cipher … is used for encryption with a key generated randomly for each encrypted file. This key is then passed to the RSA encryption with a hardcoded public key to retrieve 512 bytes of the encrypted ChaCha20 key. This key is appended to the end of the encrypted file.’
- [T1021.002] SMB/Windows Admin Shares – Automatic distribution uses LDAP to enumerate workstations and copy to remote machines via c$Windowstmp.exe: ‘The ransomware tries to connect to AD with the help of LDAP API and iterates over the connected workstations using the filter string (samAccountType=805306369)…’ and ‘copy itself to the remote machines via the path c$Windowstmp.exe.’
- [T1047] Windows Management Instrumentation – The copied payload is launched on remote hosts via COM objects and Win32_Process Create method: ‘with the help of the COM objects objectIWbemClassObject … and IWbemServices->Win32_Process, the executable copied in the previous stage is launched via the Create method.’
Indicators of Compromise
- [File Hash] context – 07fdfcde9c9a3f60b1302c6a42ef1191fcfa861e94638968c8023ed957d9144f, 5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa, and 4 more hashes
- [Malware Name] context – Ransomware.Win.BlackBasta.A, Ransomware.Win.BlackBasta.B
- [File Name] context – readme.txt (ransom note dropped on Desktop)
- [File Extension] context – .basta (extension used for encrypted files)
- [File Path] context – c$Windowstmp.exe (remote copy path during lateral movement)
Read more: https://research.checkpoint.com/2022/black-basta-and-the-unnoticed-delivery/