Companies based in the U.S. have been at the receiving end of an “aggressive” Qakbot malware campaign that leads to Black Basta ransomware infections on compromised networks.
“In this latest campaign, the Black Basta ransomware gang is using QakBot malware to create an initial point of entry and move laterally within an organization’s network,” Cybereason researchers Joakim Kandefelt and Danielle Frankel said in a report shared with The Hacker News.
Black Basta, which emerged in April 2022, follows the tried-and-tested approach of double extortion to steal sensitive data from targeted companies and use it as leverage to extort cryptocurrency payments by threatening to release the stolen information.
This is not the first time the ransomware crew has been observed using Qakbot (aka QBot, QuackBot, or Pinkslipbot). Last month, Trend Micro disclosed similar attacks that entailed the use of Qakbot to deliver the Brute Ratel C4 framework, which, in turn, was leveraged to drop Cobalt Strike.
The intrusion activity observed by Cybereason cuts out Brute Ratel C4 from the equation, instead using Qakbot to directly distribute Cobalt Strike on several machines in the infected environment.
The attack chain commences with a spear-phishing email bearing a malicious disk image file that, when opened, kickstarts the execution of Qbot, which, for its part, connects to a remote server to retrieve the Cobalt Strike payload.
At this stage, credential harvesting and lateral movement activities are carried out to place the red team framework on several servers, before breaching as many endpoints as possible using the collected passwords and launching the Black Basta ransomware.
“The threat actor obtained domain administrator privileges in less than two hours and moved to ransomware deployment in less than 12 hours,” the researchers noted, adding over 10 different customers were impacted by the fresh set of attacks in the past two weeks.
In two instances spotted by the Israeli cybersecurity company, the intrusions not only deployed the ransomware but also locked the victims out of their networks by disabling the DNS service in a bid to make a recovery more challenging.
Black Basta remains a highly active ransomware actor. According to data gathered by Malwarebytes, Black Basta successfully targeted 25 companies in October 2022 alone, putting it behind LockBit, Karakurt, and BlackCat.