The Black Basta ransomware gang has been reportedly spotted using QakBot malware to create a first point of entry and move laterally within organizations’ networks.
The findings were described in a new advisory published by the Cybereason Global SOC (GSOC) team earlier today, highlighting several Black Basta infections using QakBot beginning on November 14, 2022.
“QakBot, also known as QBot or Pinkslipbot, is a banking trojan primarily used to steal victims’ financial data, including browser information, keystrokes, and credentials,” the security experts wrote.
“Once QakBot has successfully infected an environment, the malware installs a backdoor allowing the threat actor to drop additional malware–namely, ransomware.”
According to the advisory, in the new campaign, threat actors obtained domain administrator access in less than two hours and then moved to ransomware deployment in less than 12 hours.
“Threat actors leveraging the QBot loader cast a large net targeting mainly on US-based companies and acted quickly on any spear phishing victims they compromised,” reads the advisory.
“In the last two weeks, we observed more than ten different customers affected by this recent campaign.”
Among the several QakBot infections identified by Cybereason, two allegedly allowed the threat actor to deploy ransomware and lock the victim out of their network by disabling their DNS service, making a recovery even more complex.
“One particularly fast compromise we observed led to the deployment of Black Basta ransomware. This allowed us to tie a link between threat actors leveraging QakBot and Black Basta operators,” wrote the security team.
The QakBot infections observed by Cybereason started with a spam or phishing email containing malicious URL links, with QakBot being the primary method Black Basta used to retain a presence on victims’ networks.
“That said, we also observed the threat actor using Cobalt Strike during the compromise to gain remote access to the domain controller. Finally, ransomware was deployed, and the attacker then disabled security mechanisms, such as [endpoint detection and response] EDR and antivirus programs,” the company wrote.
A list of recommendations to help companies defend against this threat and connected Indicators of Compromise (IoC) is available in the advisory’s original text.
The Black Basta ransomware group was also recently linked to the FIN7 threat actor and to continued attacks against critical infrastructure.