The threat actors linked to the Black Basta ransomware have been observed switching up their social engineering tactics, distributing a different set of payloads such as Zbot and DarkGate since early October 2024.
“Users within the target environment will be email bombed by the threat actor, which is often achieved by signing up the user’s email to numerous mailing lists simultaneously,” Rapid7 said. “After the email bomb, the threat actor will reach out to the impacted users.”
As observed back in August, the attackers make initial contact with prospective targets on Microsoft Teams, pretending to be support personnel or IT staff of the organization. In some instances, they have also been observed impersonating IT staff members within the targeted organization.
Users who end up interacting with the threat actors are urged to install legitimate remote access software such as AnyDesk, ScreenConnect, TeamViewer, and Microsoft’s Quick Assist. The Windows maker is tracking the cybercriminal group behind the abuse of Quick Assist for Black Basta deployment under the name Storm-1811.
Rapid7 said it also detected attempts made by the ransomware crew to leverage the OpenSSH client to establish a reverse shell, as well as send a malicious QR code to the victim user via the chats to likely steal their credentials under the pretext of adding a trusted mobile device.
However, cybersecurity company ReliaQuest, which also reported on the same campaign, theorized the QR codes are being used to direct users to further malicious infrastructure.
The remote access facilitated by the installation of AnyDesk (or its equivalent) is then used to deliver additional payloads to the compromised host, including a custom credential harvesting program followed by the execution of Zbot (aka ZLoader) or DarkGate, which can serve as a gateway for follow-on attacks.
Source: The Hacker News