ReliaQuest identified a Black Basta campaign that shifted to social engineering via Microsoft Teams and QR codes to gain initial access, signaling evolving ransomware-like tactics. The campaign shows high activity across multiple sectors, with impersonation of help desk staff and use of remote access tools, aiming to deploy ransomware. #BlackBasta #MicrosoftTeams #QRcodes #AnyDesk #Impacket #CobaltStrike #ReliaQuest
Keypoints
- Black Basta has shifted tactics to include Microsoft Teams chats and QR codes for social engineering.
- The group previously relied on overwhelming email spam to initiate contact with users.
- Attackers impersonate help desk staff using external Microsoft Teams accounts with misleading display names.
- Malicious QR codes are sent to users, potentially leading to further malicious infrastructure.
- ReliaQuest has observed a significant increase in email spam and vishing attacks related to this campaign.
- Recommendations include blocking malicious domains, disabling external Teams communication, and enhancing email security measures.
- Ongoing training for employees on social engineering tactics is crucial for defense.
MITRE Techniques
- [T1566] Phishing β βAttackers use email spam and Teams messages to trick users into downloading malicious software.β
- [T1003] Credential Dumping β βUsing tools like Impacket to capture Kerberos password hashes for lateral movement.β
- [T1219] Remote Access Software β βThreat actors entice users to download RMM tools like AnyDesk under false pretenses.β
- [T1071] Command and Control β βUtilizing Cobalt Strike beacons to communicate with compromised hosts.β
Indicators of Compromise
- [Domain] QR-code phishing domains β qr-s1[.]com, qr-s2[.]com β used in QR-code phishing activities
- [Domain] Cobalt Strike beacon domains β companymartec[.]com, hessetechnology[.]com β used for beaconing / C2
- [File] Antispam-related executables β AntispamAccount.exe, AntispamUpdate.exe β used in post-infection activity
- [Email Address] Spam sender addresses β noreply@domain[.]com, support@domain[.]com β used in spam campaigns
Read more: https://www.reliaquest.com/blog/black-basta-social-engineering-technique-microsoft-teams/