SentinelLabs provides a comprehensive analysis of Black Basta’s operational TTPs, revealing custom tools, EDR-evasion capabilities, and a likely link to FIN7. The findings suggest FIN7 developers may have contributed to Black Basta’s toolset, with privilege escalation and defense-impairing tactics tied to PrintNightmare, ZeroLogon, and NoPac, alongside obfuscated AdFind usage.
Read more: https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/
Read more: https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/
Keypoints
- Black Basta operates with a private toolkit and shows ties to FIN7, including possible FIN7 developers behind its EDR-evasion tools.
- Initial access commonly begins with Qakbot from email with macro-based documents and ISO+LNK droppers exploiting CVE-2022-30190; DLL hijacking in calc.exe is used to load Qakbot components.
- Operator activity includes obfuscated AdFind tooling, in-memory .NET assemblies, and AD enumeration via LDAP with SharpHound/BloodHound.
- Privilege escalation relies on ZeroLogon, NoPac, and PrintNightmare, with spider.dll creating a new admin user and deploying RunTimeListen.exe backdoor before cleanup.
- Remote admin RATs (Netsupport Manager via Svvhost.exe, plus Splashtop/GoToAssist/Atera, SystemBC) enable persistence, C2, and module delivery across compromised networks.
- Lateral movement uses psexec to deploy SERVI.bat, terminate defenses, and delete shadow copies across endpoints.
- Defenses are impaired by batch scripts to disable Windows Defender and by WindefCheck.exe (fake Windows Security GUI), alongside C2 activities such as BIRDDOG/SocksBot and DNS-beacon in FIN7 operations.
MITRE Techniques
- [T1203] Exploitation for Initial Access – The ISO dropper exploits the MSDTC remote code execution vulnerability (CVE-2022-30190) and uses DLL hijacking in calc.exe to drop Qakbot DLL. ‘exploits a DLL hijacking in calc.exe.’
- [T1574.001] DLL Side-Loading / DLL Hijacking – DLL hijacking inside the calc binary loads WindowsCodecs.dll to execute Qakbot components. ‘DLL hijacking inside the calc binary and executing a Qakbot DLL, WindowsCodecs.dll.’
- [T1059.001] PowerShell – Malicious PowerShell stored in the registry acts as a listener and loader. ‘a malicious PowerShell stored in the registry, acting as a listener and loader.’
- [T1059.003] Command-Line Interface – Use of cmd.exe to run obfuscated or staged payloads (e.g., ‘cmd /C C:intelAF.exe -f …’). ‘cmd /C C:intelAF.exe -f objectcategory=computer -csv …’
- [T1069.002] Active Directory Discovery – AD enumeration via LDAP using AF.exe and in-memory .NET assemblies; SharpHound/BloodHound usage. ‘SharpHound and BloodHound frameworks for AD enumeration via LDAP queries.’
- [T1047] Windows Management Instrumentation – WMI queries to enumerate installed security solutions. ‘wmic /namespace:rootSecurityCenter2 PATH AntiVirusProduct GET /value …’
- [T1021] Lateral Movement – Deploying batch scripts via psexec (SERVI.bat) to kill services and defenses across endpoints. ‘batch file named SERVI.bat was deployed through psexec on all the endpoints.’
- [T1136] Create Account – spider.dll creates a new admin user with RunTimeListen.exe, adding the user to Administrators/Remote Desktop Users groups. ‘The DLL creates the RunTimeListen.exe process… creates a user with username “Crackenn” and password …’
- [T1562.001] Impair Defenses – Disable Windows Defender/Realtime Monitoring via batch scripts and registry changes. ‘DisableAntiSpyware … DisableRealtimeMonitoring … Uninstall-WindowsFeature -Name Windows-Defender’
- [T1036] Masquerading – WindefCheck.exe presents a fake Windows Security GUI to mislead users. ‘The fake Windows Security GUI WindefCheck.exe.’
- [T1071.004] DNS or Application Layer Protocol C2 – Cobalt Strike DNS beacon and domain jardinoks.com used for C2. ‘Cobalt Strike DNS beacon connecting to the domain “jardinoks.com”.’
- [T1055] Process Injection – Process hollowing to hide malicious activity behind explorer.exe. ‘process hollowing is performed to hide malicious activity behind the legitimate process.’
Indicators of Compromise
- [IP] 45[.]67[.]229[.]148 – used by BIRDDOG backdoor/C2 activity (FIN7-related tooling)
- [Domain] jardinoks.com – C2 domain observed with Cobalt Strike DNS beacon
- [Filename] spider.dll – payload dropped/dropper component associated with PrintNightmare activity
- [Filename] RunTimeListen.exe – backdoor executable created after spider.dll deployment
- [Filename] Svvhost.exe – self-extracting archive for Netsupport Manager drop
- [Filename] AF.exe – uniquely obfuscated AdFind variant used for AD discovery
- [Filename] zero22.exe, zero.exe – two versions of ZeroLogon-related exploits observed in some intrusions