Threat Research

THREAT ALERT: Aggressive Qakbot Campaign and the Black Basta Ransomware Group Targeting U.S. Companies

Securonix

Cybereason’s Global SOC is tracking a wide Black Basta ransomware campaign that leverages QakBot (QakBot) to gain entry and move laterally in U.S.-based organizations. The campaign ties QakBot infections to rapid deployment of Black Basta, including DNS disruption to hinder recovery, and Cybereason provides IOCs and mitigation guidance. Hashtags: #QakBot #BlackBasta #CobaltStrike #QBot

Keypoints

  • Black Basta attackers rapidly move from initial access to ransomware deployment, sometimes within hours of compromising a system.
  • QakBot is used as the initial access and persistence vector, often delivered via phishing emails with malicious URLs.
  • Infections frequently culminate in the use of Cobalt Strike for remote access and domain controller reach, enabling global ransomware deployment.
  • Some campaigns include DNS service disruption to lock victims out and complicate recovery efforts.
  • Observations indicate at least 10+ affected US-based customers over a two-week period, signaling a potentially widespread campaign.
  • Threat actors perform extensive discovery and credential harvesting (e.g., via Getmac.exe, PowerShell AD queries) to escalate privileges and map networks.
  • Cybereason offers concrete IOCs and recommended mitigations, including enabling Variant Payload Protection and hardening sensors.

MITRE Techniques

  • [T1566.002] Phishing – Spearphishing Link – ‘spam/phishing email containing malicious URL links’ used to deliver QakBot payload.
  • [T1218.011] Signed Binary Proxy Execution: Regsvr32 – ‘The regsvr32.exe process then executes another randomly named file from the same mount’ and ‘Regsvr32.exe trying to load a DLL’ used for QBot payload delivery/persistence.
  • [T1562.001] Impair Defenses – ‘disabled security mechanisms, such as EDR and antivirus programs’ to evade defenses during deployment.
  • [T1021] Remote Services – ‘drop a Cobalt Strike payload to several servers, including a domain controller’ to expand access and control.
  • [T1047] Windows Management Instrumentation (WMI) – ‘moved laterally on many machines through Windows Management Instrumentation (WMI)’ to propagate across hosts.
  • [T1046] Network Service Discovery – ‘net view’ and other discovery commands used to enumerate devices and services on the network.
  • [T1087] Account Discovery – ‘net user {user} /domain’ and related commands to identify domain accounts and privileges.
  • [T1059.001] PowerShell – ‘PowerShell is used to query information against Active Directory Domain Services’ for credential/AD data collection.
  • [T1059.003] Windows Command Shell – ‘cmd.exe’ usage (e.g., del commands, net commands) for recon and cleanup.
  • [T1490] Inhibit System Recovery – ‘Vssadmin delete shadows /all /quiet’ to remove shadow copies and hinder recovery.

Indicators of Compromise

  • [Domain] Targeting domains and C2 domains – jesofidiwi[.]com (Cobalt Strike C2), dimingol[.]com (DNS exfiltration), tevokaxol[.]com (Cobalt Strike C2), vopaxafi[.]com (Cobalt Strike C2), and a on onion domain for TOR-based activity.
  • [IP] Detections/observations – 108.177.235.29, 144.202.42.216, 108.62.118.197 (associated with QakBot/C2 traffic).
  • [IP] QakBot C2 addresses (sample) – 94.70.37.145:2222, 172.90.139.138:2222, 70.50.3.214:2222, 90.89.95.158:2222, 200.93.14.206:2222, 142.161.27.232:2222, 82.127.174.33:2222, 92.207.132.174:2222, 92.189.214.236:2222, 24.64.114.59:2222, 82.31.37.241:443, 87.223.80.45:443, 76.9.168.249:443, 174.115.87.57:443, 82.41.186.124:443, 131.106.168.223:443, 75.98.154.19:443, 170.253.25.35:443, 86.133.237.3:443, 73.88.173.113:443, 84.209.52.11:443, 180.151.104.143:443, 105.184.161.242:443, 24.49.232.96:443, 157.231.42.190:443, 75.143.236.149:443, 70.64.77.115:443, 137.186.193.226:3389, 91.165.188.74:50000.
  • [URL/Domain] Ransomware IOCs – aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd[.]onion (TOR for Black Basta)
  • [SHA1 Hash] Aficionado.tmp – 75b2593da627472b1c990f244e24d4e971c939e7; cob_54.dll – 3a852c006085d0ce8a18063e17f525e950bb914c; cob_56.dll – 4202bf2408750589e36750d077746266176ac239
  • [Filename] Aficionado.tmp (Qbot loader); fwpolicyiomgr.dll (Qbot module); cob_54.dll; cob_56.dll; plugin_payload54.dll; plugin_payload55.dll
  • [Filename] ransom note – readme.txt (Black Basta)
  • [C2 Domain] jesofidiwi[.]com, tevokaxol[.]com, dimingol[.]com, vopaxafi[.]com
  • [C2/Other] tevojkadiwi?; See article for additional IOCs

Read more: https://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies