Black Basta Ransomware Gang infiltrates networks via QAKBOT, Brute Ratel and Cobalt Strike

Tactical / Technical

Remarks

TA0001 Initial Access

T1566.001 Phishing: Attachment for spear phishing

Victims receive spear phishing emails with malicious zip files attached – usually protected by a password or an HTML file. This file contains an ISO file.

T1566.001 Phishing: spear phishing link

QAKBOT spread through emails containing newly created malicious links.

TA0002 Execution

T1204.001 User Execution: Malicious Link

QAKBOT was executed by users accessing a malicious link

T1204.002 User Execution: Malicious Link

QAKBOT gained execution thanks to users opening malicious attachments

T1569.002 System Services: Running Services

Cobalt Strike can use PsExec to execute a payload on a remote host. It can also use Service Control Manager to start new services

T1059.005 Command and script interpreter: Visual Basic script

QAKBOT can use VBS to download and execute malicious files

T1059.007 Command and script interpreter: JavaScript

QAKBOT abuses Wscript to execute a Jscript file.

TA0003 Persistence

T1547.001 Autostart run at startup or logon: registry run keys/startup folder

QAKBOT can maintain persistence by creating an autorun registry key

TA0004 Escalation of privileges

T1055 process injection

QAKBOT can inject itself into processes like wermgr.exe

TA0006 Defense Escape

T1027.006 Masked Files or Information: HTML Contraband

Smuggles file content by hiding malicious payloads inside seemingly benign HTML files.

T1218.010 Running system binary proxy: Regsvr32

QAKBOT can use Regsvr32 to run malicious DLLs
Cobalt Strike can use rundll32.exe to load DLL from command line

T1140. Deobfuscate/decode files or information

The initial QAKBOT .zip file bypasses some antivirus detections due to password protections.

T1562.009. Altered Defenses: Safe Boot Mode

Black Basta uses bcdedit to boot the device into safe mode.

TA0007 Discovery

Discovery of the T1010 application window

QAKBOT can enumerate windows on a compromised host.

T1482 Domain Trust Discovery

QAKBOT can run nltest /domain_trusts /all_trusts for domain trust discovery.

Discovery of the T1135 network share

QAKBOT can use the net share to identify network shares to use in lateral movements.

T1069.001 Discovery of authorization groups: local groups

QAKBOT can use net localgroup to enable discovery of local groups

T1057 Process Discovery

QAKBOT has the ability to check running processes

Discovery of the T1018 remote system

QAKBOT can identify remote systems via net view command

Discovering T1082 System Information

QAKBOT can collect system information including OS version and domain on a compromised host

Discovery of the network configuration of the T1016 system

QAKBOT can use net config workstation, arp -a and ipconfig /all to collect network configuration information

Discovering the network connections of the T1049 system

QAKBOT can use netstat to enumerate current network connections

Discovery of the owner/user of the T1033 system

QAKBOT can identify the username on a compromised system

TA0008 Lateral movement

T1021 Remote Services: SMB/Windows Administration Shares

Cobalt Strike can use Windows admin shares (C$ and ADMIN$) for lateral movement

TA0011 Command and control

T1071.001 Application Layer Protocol: Web Protocols

QAKBOT can use HTTP and HTTPS to communicate with C&C servers.

T1573. Encrypted channel

Used by QAKBOT, BRUTEL and Cobalt Strike

TA0040 Impact

T1486. Data encryption for impact

Black Basta uses the ChaCha20 algorithm to encrypt files. The ChaCha20 encryption key is then encrypted with an RSA-4096 public key included in the executable.

T1489. Service stop

Use sc stop and taskkill to stop services.

T1490. Prevent system recovery

Black Basta deletes Volume Shadow Copies using the vssadmin tool.

T1491 – Disfigurement

Replaces the desktop wallpaper to display the ransom note.

Comments are closed.