• Our channels:
  • Chief IT
  • Space
  • Smart Cities
  • Drones & Robotics
  • Video Systems
  • Australian Cyber
  • Australian Security
  • Asia Pacific
  • Southeast Asia
  • Podcast
  • MySec.TV
  • Best in Tech
  • MySmartTech
Cyber Risk Leaders
Navigate
  • Cyber Risk Leaders
  • News
    • Featured
    • Cyber Resilience
    • Editor’s Desk
    • Education
    • TechTime
    • Women in Security
  • Contributors
  • Magazines
  • Events
  • RESOURCES
  • TRAINING
  • Shop
  • Advertise
  • Subscribe

Rapid7 Releases Black Basta Ransomware Campaign Analysis

0
By CRL_admin on December 6, 2024 Cyber Resilience, Featured, IT solutions, Security Products
Rapid7 has published an analysis of the Black Basta ransomware campaign, having observed a resurgence of activity related to the ongoing social engineering campaign being conducted by the group.
Rapid7 initially reported the discovery of the novel social engineering campaign back in May, 2024, followed by an update in August, when the operators updated their tactics and malware payloads and began sending lures via Microsoft Teams.
Now, the procedures followed by the threat actors in the early stages of the social engineering attacks have been refined again, with new malware payloads, improved delivery, and increased defence evasion.
The social engineering attacks are still initiated in a similar manner. Users within the target environment will be email bombed by the threat actor, which is often achieved by signing up the user’s email to numerous mailing lists simultaneously.
After the email bomb, the threat actor will reach out to the impacted users. Rapid7 has observed the initial contact still occurs primarily through usage of Microsoft Teams, by which the threat actor, as an external user, will attempt to call or message the impacted user to offer assistance. The account domains in use include both Azure/Entra tenant subdomains (e.g., username[@]tenantsubdomain[.]onmicrosoft[.]com) and custom domains (e.g., username[@]cofincafe[.]com).
In many cases, Rapid7 has observed that the threat actor will pretend to be a member of the target organisation’s help desk, support team, or otherwise present themself as IT staff.
If the user interacts with the lure, either by answering the call or messaging back, the threat actor will attempt to get the user to install or execute a remote management (RMM) tool, including, but not limited to, QuickAssist, AnyDesk, TeamViewer, Level, or ScreenConnect.
In most cases, Rapid7 has observed that the operator, after gaining access to the user’s asset via RMM tool, will then attempt to download and execute additional malware payloads
The payload delivery methods vary per case, but have included external compromised SharePoint instances, common file sharing websites, servers rented through hosting providers, or even direct upload to the compromised asset in the case of RMM tool remote control.
The overall goal following initial access appears to be the same: to quickly enumerate the environment and dump the user’s credentials. When possible, operators will also still attempt to steal any available VPN configuration files. With the user’s credentials, organization VPN information, and potential MFA bypass, it may be possible for them to authenticate directly to the target environment.
Rapid7 has observed usage of the same credential harvesting executable, previously reported as AntiSpam.exe, though it is now delivered in the form of a DLL and most commonly executed via rundll32.exe.
The credential harvester is most commonly followed by the execution of a loader such as Zbot (a.k.a. Zloader) or DarkGate. This can then serve as a gateway to the execution of subsequent payloads in memory, facilitate data theft, or otherwise perform malicious actions.
Rapid7 continues to observe inconsistent usage of the group’s custom packer to deliver various malware payloads, including their custom credential harvester.
At the time of writing, the threat actors behind the campaign continue to update both their strategy for gaining initial access and the tools subsequently used.
Rapid7 says intrusions related to the campaign should be taken seriously and that the intent goes beyond typical phishing activity. Past campaign activity has led to the deployment of Black Basta ransomware.
While Rapid7 has handled a high volume of incidents related to the current social engineering campaign across a variety of customer environments, to date, every case has been contained before the operator was able to move laterally beyond the targeted user’s asset.
The blog on Rapid7’s website provides a full technical analysis, mitigation advice, MITRE ATT&CK techniques, and indicators of compromise.
Share. Twitter Facebook Pinterest LinkedIn Tumblr Email

Related Posts

  • Featured | IT solutions | Miscellaneous | Movers & Shakers | May 8, 2025

    Bugcrowd Joins AWS Independent Software Vendor Accelerate Program

  • Artificial Intelligence | Featured | IT solutions | Security Products | May 7, 2025

    Trend Micro Unveils New AI-Powered Threat Detection Capabilities

  • Featured | Miscellaneous | Movers & Shakers | May 6, 2025

    Excite to Raise $2.8 Million to Accelerate Growth

  • Follow us

    Visit Us On TwitterVisit Us On FacebookVisit Us On YoutubeVisit Us On Linkedin

ENJOY OUR OTHER CHANNELS

  • A dedicated channel for Boards, C-Suite Executives and Cyber Risk Leaders to highlight cyber threats as a key business issue.

    MySecurity Media Pty Limited
    ABN 54 145 849 056
    A: GPO Box 930 Sydney NSW 2001
    E: promoteme@mysecuritymedia.com
    W: www.mysecuritymedia.com

  • NETWORK

    • Marketplace
    • Community
    • Contributors
    • Lead Publication
    • Promote Your Brand
    • Privacy Policy
  • NEWS

    • Featured
    • Cyber Resilience
    • Editor’s Desk
    • Education
    • TechTime
    • Women in Security
  • DOWNLOAD APP

  • EVENTS
    > Find a Speaker
    > New Arrivals
    > Upcoming Events
    > Past Events
    > Register an Event
  • RESOURCES
    > Reports
    > Whitepapers
    > Research
    > Books
    > COVID 19 Resources
    > Magazines
    > Podcasts
    > MySecurity TV
    > Australia in Space TV
  • PRODUCTS
    > Solution Products
    > Online Store
    > TeePublic Store
    > Promote Your Brand

    TRAINING
    > Courses
    > Webinars – Live
    > Webinars – On Demand
    > Learn Security Platform
  • COMMUNITY
    > Indo-Pacific Space and Earth Network
    > Space and Earth - Partners and Advisory
    > IPRAAC
    > IPSEC
    > Security & Risk Professional Insight Series
    > Women in Security Awards
    > Partners
    > Speakers
    > Providers
    > Promote Your Brand
  • NEWS CHANNELS
    > MySec.TV
    > Australia in Space TV
    > Cyber Security Weekly Podcast
    > Cyber Risk Leaders
    > Chief IT
    > Drones & Robotics
    > Space & Defense
    > Australia in Space
    > Smart Cities Tech
    > Video Systems
    > Asia Pacific Security Magazine
    > ASEAN Technology & Security
    > Australian Cyber Security Magazine
    > Australian Security Magazine

© My Security Media. All Right Reserved 2019.   Privacy Policy | Terms & Conditions | Competition T&Cs