Threat Research

Black Basta Ransomware Operators Expand Their Attack Arsenal With QakBot Trojan and PrintNightmare Exploit

Securonix

Black Basta expanded its repertoire by employing QakBot as an entry point and using the PrintNightmare flaw to perform privileged file operations. It also leveraged the Coroxy backdoor and Netcat for lateral movement across networks. #BlackBasta #QakBot

Keypoints

  • Black Basta uses QakBot as an entry point and leverages PrintNightmare (CVE-2021-34527) for privileged file operations.
  • QakBot acts as a malware-installation vector, enabling ransomware families and exploiting previously disclosed exploits like Follina (CVE-2022-30190).
  • Infection chain starts with spear-phishing emails containing Excel 4.0 macros, leading to QakBot DLL dropping and execution via regsvr32, followed by process injection and a scheduled task.
  • After QakBot, Cobeacon backdoor is downloaded/dropped using multi-layered PowerShell obfuscation, with a named pipe potentially for exfiltration.
  • PrintNightmare is exploited to drop spider.dll and perform privileged file operations; Coroxy backdoor and Netcat are used for lateral movement before the main Black Basta ransomware is deployed.
  • Phishing defense guidance and Trend Micro solutions are highlighted as mitigation, emphasizing multi-layer detection and response capabilities.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – Used spear-phishing emails containing Excel 4.0 macros to lure macro-enabled execution; “The emails entice the recipient to enable macros, which download and execute the QakBot DLL files.”
  • [T1218.011] Signed Binary Proxy Execution: Regsvr32 – “executed via regsvr32.exe.”
  • [T1055] Process Injection – “The QakBot DLL performs process injection using explorer.exe.”
  • [T1053.005] Scheduled Task – “creates a scheduled task to maintain the malware’s initial foothold.”
  • [T1059.001] PowerShell – “PowerShell script with multiple layers of obfuscation.”
  • [T1027] Obfuscated/Compressed Files and Information – “Base64-encoded shellcode … multiple layers of obfuscation.”
  • [T1203] Exploitation for Client Execution – “exploitation of a newly disclosed Microsoft zero-day vulnerability known as Follina (CVE-2022-30190).”
  • [T1068] Exploitation for Privilege Escalation – “exploitation of the PrintNightmare vulnerability (CVE-2021-34527) to perform privileged file operations.”
  • [T1021] Lateral Movement – “Netcat to move laterally across the network.”
  • [T1105] Ingress Tool Transfer – “proceeds to download and drop the other components in the infection chain.”

Indicators of Compromise

  • [SHA-256] context – 01fafd51bb42f032b08b1c30130b963843fea0493500e871d6a6a87e555c7bac, 72a48f8592d89eb53a18821a54fd791298fcc0b3fc6bf9397fd71498527e7c0e, and 2 more hashes
  • [URL] context – 24[.]178[.]196[.]44:2222, 37[.]186[.]54[.]185:995
  • [Domain] context – elblogdeloscachanillas[.]com[.]mx, lalualex[.]com
  • [FileName] context – spider.dll, QakBot_DLL

Read more: https://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html