{"id":1486,"date":"2024-12-10T12:54:39","date_gmt":"2024-12-10T12:54:39","guid":{"rendered":"https:\/\/www.tsfactory.com\/forums\/?p=1486"},"modified":"2024-12-10T12:54:39","modified_gmt":"2024-12-10T12:54:39","slug":"black-basta-ransomware-evolves-with-email-bombing-qr-codes-and-social-engineering","status":"publish","type":"post","link":"https:\/\/www.tsfactory.com\/forums\/blog\/black-basta-ransomware-evolves-with-email-bombing-qr-codes-and-social-engineering\/","title":{"rendered":"Black Basta Ransomware Evolves with Email Bombing, QR Codes, and Social Engineering"},"content":{"rendered":"<p>The threat actors linked to the Black Basta ransomware have been observed switching up their\u00a0<a href=\"https:\/\/thehackernews.com\/2024\/05\/ongoing-campaign-bombarded-enterprises.html\" target=\"_blank\" rel=\"noopener\">social engineering tactics<\/a>, distributing a different set of payloads such as\u00a0<a href=\"https:\/\/thehackernews.com\/2024\/01\/new-zloader-malware-variant-surfaces.html\" target=\"_blank\" rel=\"noopener\">Zbot<\/a>\u00a0and\u00a0<a href=\"https:\/\/thehackernews.com\/2024\/06\/darkgate-malware-replaces-autoit-with.html\" target=\"_blank\" rel=\"noopener\">DarkGate<\/a>\u00a0since early October 2024.<\/p>\n<p>&#8220;Users within the target environment will be email bombed by the threat actor, which is often achieved by signing up the user&#8217;s email to numerous mailing lists simultaneously,&#8221; Rapid7\u00a0<a href=\"https:\/\/www.rapid7.com\/blog\/post\/2024\/12\/04\/black-basta-ransomware-campaign-drops-zbot-darkgate-and-custom-malware\/\" target=\"_blank\" rel=\"noopener\">said<\/a>. &#8220;After the email bomb, the threat actor will reach out to the impacted users.&#8221;<\/p>\n<p>As\u00a0<a href=\"https:\/\/thehackernews.com\/2024\/08\/black-basta-linked-attackers-targets.html\" target=\"_blank\" rel=\"noopener\">observed<\/a>\u00a0back in August, the attackers make initial contact with prospective targets on Microsoft Teams, pretending to be support personnel or IT staff of the organization. In some instances, they have also been observed impersonating IT staff members within the targeted organization.<\/p>\n<p>Users who end up interacting with the threat actors are urged to install legitimate remote access software such as AnyDesk, ScreenConnect, TeamViewer, and Microsoft&#8217;s Quick Assist. The Windows maker is tracking the cybercriminal group behind the abuse of Quick Assist for Black Basta deployment under the name\u00a0<a href=\"https:\/\/thehackernews.com\/2024\/05\/cybercriminals-exploiting-microsofts.html\" target=\"_blank\" rel=\"noopener\">Storm-1811<\/a>.<\/p>\n<p>Rapid7 said it also detected attempts made by the ransomware crew to leverage the OpenSSH client to establish a reverse shell, as well as send a malicious QR code to the victim user via the chats to likely steal their credentials under the pretext of adding a trusted mobile device.<\/p>\n<p>However, cybersecurity company ReliaQuest, which also\u00a0<a href=\"https:\/\/www.reliaquest.com\/blog\/black-basta-social-engineering-technique-microsoft-teams\/\" target=\"_blank\" rel=\"noopener\">reported<\/a>\u00a0on the same campaign, theorized the QR codes are being used to direct users to further malicious infrastructure.<\/p>\n<p>The remote access facilitated by the installation of AnyDesk (or its equivalent) is then used to deliver additional payloads to the compromised host, including a custom credential harvesting program followed by the execution of Zbot (aka ZLoader) or DarkGate, which can serve as a gateway for follow-on attacks.<\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2024\/12\/black-basta-ransomware-evolves-with.html\">Read the Full Story Here<\/a><\/p>\n<p>Source: The Hacker News<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The threat actors linked to the Black Basta ransomware have been observed switching up their\u00a0social engineering tactics, distributing a different set of payloads such as\u00a0Zbot\u00a0and\u00a0DarkGate\u00a0since early October 2024. &#8220;Users within the target environment will be email bombed by the threat actor, which is often achieved by signing up the user&#8217;s email to numerous mailing lists [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":398,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-1486","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v24.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Black Basta Ransomware Evolves with Email Bombing, QR Codes, and Social Engineering - Community<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.tsfactory.com\/forums\/blog\/black-basta-ransomware-evolves-with-email-bombing-qr-codes-and-social-engineering\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Black Basta Ransomware Evolves with Email Bombing, QR Codes, and Social Engineering - Community\" \/>\n<meta property=\"og:description\" content=\"The threat actors linked to the Black Basta ransomware have been observed switching up their\u00a0social engineering tactics, distributing a different set of payloads such as\u00a0Zbot\u00a0and\u00a0DarkGate\u00a0since early October 2024. &#8220;Users within the target environment will be email bombed by the threat actor, which is often achieved by signing up the user&#8217;s email to numerous mailing lists [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.tsfactory.com\/forums\/blog\/black-basta-ransomware-evolves-with-email-bombing-qr-codes-and-social-engineering\/\" \/>\n<meta property=\"og:site_name\" content=\"Community\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/TSFactoryLLC\/\" \/>\n<meta property=\"article:published_time\" content=\"2024-12-10T12:54:39+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.tsfactory.com\/forums\/wp-content\/uploads\/2020\/11\/pexels-pixabay-207580-scaled.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"2560\" \/>\n\t<meta property=\"og:image:height\" content=\"1920\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Chelsie Wyatt\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@TSFactoryLLC\" \/>\n<meta name=\"twitter:site\" content=\"@TSFactoryLLC\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Chelsie Wyatt\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.tsfactory.com\/forums\/blog\/black-basta-ransomware-evolves-with-email-bombing-qr-codes-and-social-engineering\/\",\"url\":\"https:\/\/www.tsfactory.com\/forums\/blog\/black-basta-ransomware-evolves-with-email-bombing-qr-codes-and-social-engineering\/\",\"name\":\"Black Basta Ransomware Evolves with Email Bombing, QR Codes, and Social Engineering - Community\",\"isPartOf\":{\"@id\":\"https:\/\/www.tsfactory.com\/forums\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.tsfactory.com\/forums\/blog\/black-basta-ransomware-evolves-with-email-bombing-qr-codes-and-social-engineering\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.tsfactory.com\/forums\/blog\/black-basta-ransomware-evolves-with-email-bombing-qr-codes-and-social-engineering\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.tsfactory.com\/forums\/wp-content\/uploads\/2020\/11\/pexels-pixabay-207580-scaled.jpg\",\"datePublished\":\"2024-12-10T12:54:39+00:00\",\"author\":{\"@id\":\"https:\/\/www.tsfactory.com\/forums\/#\/schema\/person\/9d9908f0e12559297335ebe9b601c82f\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.tsfactory.com\/forums\/blog\/black-basta-ransomware-evolves-with-email-bombing-qr-codes-and-social-engineering\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.tsfactory.com\/forums\/blog\/black-basta-ransomware-evolves-with-email-bombing-qr-codes-and-social-engineering\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.tsfactory.com\/forums\/blog\/black-basta-ransomware-evolves-with-email-bombing-qr-codes-and-social-engineering\/#primaryimage\",\"url\":\"https:\/\/www.tsfactory.com\/forums\/wp-content\/uploads\/2020\/11\/pexels-pixabay-207580-scaled.jpg\",\"contentUrl\":\"https:\/\/www.tsfactory.com\/forums\/wp-content\/uploads\/2020\/11\/pexels-pixabay-207580-scaled.jpg\",\"width\":2560,\"height\":1920},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.tsfactory.com\/forums\/blog\/black-basta-ransomware-evolves-with-email-bombing-qr-codes-and-social-engineering\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.tsfactory.com\/forums\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Black Basta Ransomware Evolves with Email Bombing, QR Codes, and Social Engineering\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.tsfactory.com\/forums\/#website\",\"url\":\"https:\/\/www.tsfactory.com\/forums\/\",\"name\":\"Community\",\"description\":\"TSFactory\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.tsfactory.com\/forums\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.tsfactory.com\/forums\/#\/schema\/person\/9d9908f0e12559297335ebe9b601c82f\",\"name\":\"Chelsie Wyatt\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.tsfactory.com\/forums\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/09ff3801fb7566acf715fe4e81a9bd942b923c236138a3ed8a8375f099e5d6d6?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/09ff3801fb7566acf715fe4e81a9bd942b923c236138a3ed8a8375f099e5d6d6?s=96&d=mm&r=g\",\"caption\":\"Chelsie Wyatt\"},\"url\":\"https:\/\/www.tsfactory.com\/forums\/blog\/author\/chelsie\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Black Basta Ransomware Evolves with Email Bombing, QR Codes, and Social Engineering - Community","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.tsfactory.com\/forums\/blog\/black-basta-ransomware-evolves-with-email-bombing-qr-codes-and-social-engineering\/","og_locale":"en_US","og_type":"article","og_title":"Black Basta Ransomware Evolves with Email Bombing, QR Codes, and Social Engineering - Community","og_description":"The threat actors linked to the Black Basta ransomware have been observed switching up their\u00a0social engineering tactics, distributing a different set of payloads such as\u00a0Zbot\u00a0and\u00a0DarkGate\u00a0since early October 2024. &#8220;Users within the target environment will be email bombed by the threat actor, which is often achieved by signing up the user&#8217;s email to numerous mailing lists [&hellip;]","og_url":"https:\/\/www.tsfactory.com\/forums\/blog\/black-basta-ransomware-evolves-with-email-bombing-qr-codes-and-social-engineering\/","og_site_name":"Community","article_publisher":"https:\/\/www.facebook.com\/TSFactoryLLC\/","article_published_time":"2024-12-10T12:54:39+00:00","og_image":[{"width":2560,"height":1920,"url":"https:\/\/www.tsfactory.com\/forums\/wp-content\/uploads\/2020\/11\/pexels-pixabay-207580-scaled.jpg","type":"image\/jpeg"}],"author":"Chelsie Wyatt","twitter_card":"summary_large_image","twitter_creator":"@TSFactoryLLC","twitter_site":"@TSFactoryLLC","twitter_misc":{"Written by":"Chelsie Wyatt","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.tsfactory.com\/forums\/blog\/black-basta-ransomware-evolves-with-email-bombing-qr-codes-and-social-engineering\/","url":"https:\/\/www.tsfactory.com\/forums\/blog\/black-basta-ransomware-evolves-with-email-bombing-qr-codes-and-social-engineering\/","name":"Black Basta Ransomware Evolves with Email Bombing, QR Codes, and Social Engineering - Community","isPartOf":{"@id":"https:\/\/www.tsfactory.com\/forums\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.tsfactory.com\/forums\/blog\/black-basta-ransomware-evolves-with-email-bombing-qr-codes-and-social-engineering\/#primaryimage"},"image":{"@id":"https:\/\/www.tsfactory.com\/forums\/blog\/black-basta-ransomware-evolves-with-email-bombing-qr-codes-and-social-engineering\/#primaryimage"},"thumbnailUrl":"https:\/\/www.tsfactory.com\/forums\/wp-content\/uploads\/2020\/11\/pexels-pixabay-207580-scaled.jpg","datePublished":"2024-12-10T12:54:39+00:00","author":{"@id":"https:\/\/www.tsfactory.com\/forums\/#\/schema\/person\/9d9908f0e12559297335ebe9b601c82f"},"breadcrumb":{"@id":"https:\/\/www.tsfactory.com\/forums\/blog\/black-basta-ransomware-evolves-with-email-bombing-qr-codes-and-social-engineering\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.tsfactory.com\/forums\/blog\/black-basta-ransomware-evolves-with-email-bombing-qr-codes-and-social-engineering\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.tsfactory.com\/forums\/blog\/black-basta-ransomware-evolves-with-email-bombing-qr-codes-and-social-engineering\/#primaryimage","url":"https:\/\/www.tsfactory.com\/forums\/wp-content\/uploads\/2020\/11\/pexels-pixabay-207580-scaled.jpg","contentUrl":"https:\/\/www.tsfactory.com\/forums\/wp-content\/uploads\/2020\/11\/pexels-pixabay-207580-scaled.jpg","width":2560,"height":1920},{"@type":"BreadcrumbList","@id":"https:\/\/www.tsfactory.com\/forums\/blog\/black-basta-ransomware-evolves-with-email-bombing-qr-codes-and-social-engineering\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.tsfactory.com\/forums\/"},{"@type":"ListItem","position":2,"name":"Black Basta Ransomware Evolves with Email Bombing, QR Codes, and Social Engineering"}]},{"@type":"WebSite","@id":"https:\/\/www.tsfactory.com\/forums\/#website","url":"https:\/\/www.tsfactory.com\/forums\/","name":"Community","description":"TSFactory","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.tsfactory.com\/forums\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.tsfactory.com\/forums\/#\/schema\/person\/9d9908f0e12559297335ebe9b601c82f","name":"Chelsie Wyatt","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.tsfactory.com\/forums\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/09ff3801fb7566acf715fe4e81a9bd942b923c236138a3ed8a8375f099e5d6d6?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/09ff3801fb7566acf715fe4e81a9bd942b923c236138a3ed8a8375f099e5d6d6?s=96&d=mm&r=g","caption":"Chelsie Wyatt"},"url":"https:\/\/www.tsfactory.com\/forums\/blog\/author\/chelsie\/"}]}},"_links":{"self":[{"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/posts\/1486","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/comments?post=1486"}],"version-history":[{"count":1,"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/posts\/1486\/revisions"}],"predecessor-version":[{"id":1488,"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/posts\/1486\/revisions\/1488"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/media\/398"}],"wp:attachment":[{"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/media?parent=1486"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/categories?post=1486"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/tags?post=1486"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}