Black Basta uses QBot malware to target US-based companies

Cybercrime , Cybercrime as a service , Fraud and cybercrime management

QBot Backdoor Opens Systems to Load Cobalt Strike, Ransomware and Other Malware

Prajeet Nair (@prajeetspeaks) •
November 23, 2022

QBot installs a backdoor to drop malware. (Source: ISMG)

Researchers claim that Black Basta is dropping the QBot malware – also known as QakBot – as part of a large ransomware campaign primarily targeting US-based companies.

See also: Live Webinar | How to Achieve Your Zero Trust Goals with Advanced Endpoint Strategies

In the group’s latest campaign, attackers again use QBot to install a backdoor and then drop encryption malware and other malicious code, according to Cybereason.

The Black Basta ransomware gang surfaced in April 2022 and was observed using QBot malware to create an initial entry point and move laterally within the targeted organization’s network.

QBot malware is a banking Trojan, primarily designed to steal banking data including browser information, keystrokes and credentials. Its previous targets include JPMorgan Chase, Citibank, Bank of America, Citizens, Capital One and Wells Fargo.

The latest campaign, tracked by Cybereason’s global SOC, revealed that Black Basta was specifically targeting organizations in the US, Canada, UK, Australia and New Zealand.

“The group is known to use double extortion tactics. They steal files and sensitive information from victims and later use them to extort victims by threatening to release the data unless the ransom is paid,” explain the researchers.

In one example, researchers describe how a QBot infection caused several key machines to load Cobalt Strike, which triggered the deployment of Black Basta ransomware. Additionally, the hackers locked the victim out of the network by disabling DNS services, which makes recovery more difficult.

“With threat actors attempting to deploy ransomware within approximately 12 hours of the initial breach, I would classify this campaign as a real risk to businesses,” Loïc Castel, incident response investigator at Cybereason, told Information Security Media Group.

According to Castel, the short time between this QBot campaign and the deployment of Black Basta shows a connection between QBot operators and the Black Basta ransomware-as-a-service group.

“It was previously understood that BlackBasta operatives used to buy access to networks and then deploy their ransomware, and that is not the case in this campaign due to the timeline of events,” said Castel told ISMG.

Multiple infections of Black Basta using QBot were seen in early November. They started with a spam/phishing email containing malicious URL links. QBot was Black Basta’s primary means of maintaining a presence on victims’ networks and disabling their security mechanisms, such as EDR and antivirus programs.

Deployment of Black Basta

The attack usually starts with a phishing email that infects targeted machines and extends control to the network to gather information and credentials to further deploy Black Basta ransomware in as many systems as possible.

The threat actor also searches for the EDR installed on the machine, through the wmic.exe executable. The hacker manually generates a cmd.exe process on a server and then tries to uninstall the EDR/antivirus.

“It is likely that the threat actor was looking for sensorless machines to deploy additional malicious tools without being detected,” the researchers say.

Once the ransomware is deployed, it generates a ransom note file, named readme.txt, in every encrypted folder on every infected machine. Once created, the actual file encryption process runs, files on each machine are encrypted, and a random extension is added to each file.

Comments are closed.