Threat Research

Shining the Light on Black Basta

Securonix

Researchers document Black Basta’s observed TTPs during a recent incident response, detailing lateral movement, defense evasion, discovery, and encryption activities against Hyper-V environments and Veeam backups. The post also provides a technical breakdown of the ransomware binary, including wallpaper/icon changes and associated indicators of compromise. #BlackBasta #Qakbot #CobaltStrike #Hyper-V #Veeam #rdp

Keypoints

  • Black Basta employs double-extortion, exfiltrating data before encryption and using Tor-based blogs/sites for leaks.
  • Lateral movement was achieved via PsExec and a Qakbot-enabled, regsvr32-driven payload to deploy ransomware.
  • Discovery included collecting internal IP addresses with a pc_list.txt file to target hosts.
  • Defense evasion involved disabling Windows Defender through batch scripts and a Domain Controller Panda/Group Policy push to registry settings.
  • Impact included RDP access to Hyper-V servers, modification of Veeam backup configurations, and deletion of backups, plus shadow copy deletion.
  • Encryption used ChaCha20 with a separately RSA-encrypted key; encryption operates on 64-byte blocks with a final appended key/hex data.

MITRE Techniques

  • [T1021.001] Remote Services – Remote Desktop Protocol (RDP) was used to establish remote sessions on compromised hosts. “RDP along with the deployment of a batch file called rdp.bat which contained command lines to enable RDP logons.”
  • [T1218.011] Signed Binary Proxy Execution: Regsvr32 – A Qakbot DLL was executed using regsvr32.exe. “regsvr32.exe -s SYSVOL<random string>.dll”
  • [T1543.003] Create/Modify Windows Service – A temporary service was created on a target host to execute the Qakbot payload. “remotely create a temporary service on a target host which was configured to execute a Qakbot DLL”
  • [T1021.002] Remote Services – PsExec.exe used for lateral movement (PsExec.exe created in the C:Windows folder). “PsExec.exe which was created in the C:Windows folder.”
  • [T1016] System Network Configuration Discovery – Internal IPs were gathered via pc_list.txt to target hosts. “a text file in the C:Windows folder named pc_list.txt … list of internal IP addresses of all the systems on the network.”
  • [T1047] Windows Management Instrumentation – WMI used to spread and execute files across the network. “Invoke-TotalExec that provided the ability to spread and execute files over the network using WMI.”
  • [T1059.001] Command and Scripting Interpreter: PowerShell – PowerShell commands were used to disable Defender and other actions. “powershell -ExecutionPolicy Bypass -command “New-ItemProperty … DisableAntiSpyware …””
  • [T1562.001] Impair Defenses – Disabling Windows Defender through batch script and GPO changes. “two main techniques to disable Windows Defender.”
  • [T1112] Modify Registry – Registry changes to enable RDP and push out changes via GPO. “reg add … fDenyTSConnections … 0” and registry edits via GPO.
  • [T1490] Inhibit System Recovery – Shadow copy deletion to hinder recovery. “shadow copies” deletion commands.
  • [T1486] Data Encrypted for Impact – Encryption of files using ChaCha20 with a RSA-wrapped key. “encrypted using the ChaCha20 cypher” and “The encryption key is encrypted using an implementation of RSA…”

Indicators of Compromise

  • [IP Address] 23.106.160.188 – Cobalt Strike Command-and-Control server
  • [SHA1] eb43350337138f2a77593c79cee1439217d02957 – Batch script which enabled RDP on the host (rdp.bat)
  • [SHA1] 920fe42b1bd69804080f904f0426ed784a8ebbc2 – Batch script to disable Windows Defender (d.bat)
  • [Filename] C:WindowsPsExec.exe – PsExec
  • [Filename] C:WindowsSYSVOLsysvol.dll – Qakbot payload
  • [Filename] C:WindowsTemplog.info – Invoke-TotalExec output log
  • [Filename] C:WindowsTemplog.dat – Invoke-TotalExec output log

Read more: https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/