Threat Research

BlackSuit Continues Social Engineering Attacks in Wake of Black Basta’s Internal Conflict

Rapid7
BlackSuit Continues Social Engineering Attacks in Wake of Black Basta’s Internal Conflict
EXTRACT IOC
The Black Basta ransomware group’s social engineering attacks sharply declined after December 2024, with evidence indicating that BlackSuit affiliates have adopted or absorbed their tactics. Rapid7’s analysis reveals sophisticated Java RAT and QEMU-based malware deployments, leveraging cloud services for command and control, and highlights ongoing evolution in attacker methods. #BlackBasta #BlackSuit #JavaRAT

Keypoints

  • Black Basta’s social engineering campaigns dropped significantly after December 2024, coinciding with internal conflicts revealed by leaked chat logs.
  • BlackSuit ransomware affiliates have either adopted Black Basta’s attack techniques or absorbed members of the group.
  • Attackers employ email bombing by signing targets up to multiple mailing lists to overwhelm inboxes as an initial attack vector.
  • Social engineering is primarily conducted via Microsoft Teams, using either default Azure tenants or custom domains; BlackSuit affiliates sometimes use spoofed phone calls.
  • Quick Assist and fake login pages are abused to gain remote access and steal credentials, with operators coordinating handoff to pentesters who perform network enumeration and password attacks.
  • The Java RAT malware utilizes cloud-based services like Google Drive and OneDrive for C2 communication with obfuscated code and dynamic configuration fetched from Google Sheets.
  • QEMU-based virtual machines with embedded malware (e.g., QDoor) are deployed for persistent access and C2 traffic proxying, linked to BlackSuit operations.
  • Malware developers actively test new Java RAT features and Rust malware payloads in controlled lab environments before deployment.

MITRE Techniques

  • [T1566] Phishing – Use of social engineering via Microsoft Teams messages and spoofed phone calls to target users pretending to be help desk personnel. (“…reach out to impacted users pretending to be a member of the targeted organization’s help desk.”)
  • [T1219] Remote Access Software – Abuse of Windows Quick Assist and other remote tools like AnyDesk and ScreenConnect to gain remote control. (“…gain access to the user’s asset — and thereby the corporate network — via Quick Assist.”)
  • [T1189] Drive-by Compromise – Distribution of malware archives via Pastebin and compromised SharePoint instances. (“…archives are still being publicly hosted on potentially compromised SharePoint instances.”)
  • [T1106] Execution through API – Java RAT executes remote PowerShell commands using stdin and stdout streams. (“…the RAT will then establish at least one PowerShell session…commands sent to the Java RAT are proxied through the respective CSP…”)
  • [T1552] Unsecured Credentials – Stealing credentials using fake login forms and coercion for MFA codes. (“…coerce the target user to provide an MFA code while still on the phone.”)
  • [T1059] Command and Scripting Interpreter – Use of PowerShell and Python scripts for malware deployment and execution. (“…delivered via the Java RAT. The python RAT has a similar command menu…”)
  • [T1136] Create Account – Attempts to steal VPN configuration files to authenticate directly to networks. (“…attempt to steal VPN configuration files once remote access is established…”)
  • [T1569] System Services – Use of SSH reverse tunnels and proxy malware like QDoor for command and control. (“…SSH reverse tunnels being established to provide access…QDoor, Rust malware that functions as a C2 proxy…”)
  • [T1078] Valid Accounts – Harvesting domain credentials and performing AS-REP and Kerberoasting attacks. (“…observed AS-REP and Kerberoasting attacks to be commonly attempted…”)

Indicators of Compromise

  • [File Hashes] Examples of malware samples related to Java RAT and Rust payloads, including identity.jar, updater.exe, and testapp.exe; more hashes available on the Rapid7 GitHub repository.
  • [Domains] Use of cloud service domains for C2 including Google Drive, OneDrive, Pastebin.com, and fake login domains; also use of pastebin[.]com and 1ty[.]me for distributing malware links.
  • [File Names] Archive examples like Email-Focus-Tool.zip, CloudEmailSwitch.zip, and conf.py script files used in malware delivery.
  • [IP Addresses] Proxy server IPv4 addresses stored in malware configuration, actively changing; specific addresses not disclosed but included in cloud drive proxies.
  • [Registry Keys] Base64 encoded AES-256-ECB encrypted configuration stored in randomized registry keys such as HKCUSOFTWAREFENokuuTCyVqJJSUP0CEcUw9PENaNduhsA==

Read more: https://blog.rapid7.com/2025/06/10/blacksuit-continues-social-engineering-attacks-in-wake-of-black-bastas-internal-conflict/

Views: 47

Tags: ACTIVE DIRECTORY, BROWSER, CLOUD, DNS, LINUX, PAYLOAD, TOOL, VPN