Black Basta svvhost

    Kristen Cotten
    by Kristen Cotten
    December 15, 2022

    Welcome to this week's edition of SCYTHE #ThreatThursday! Earlier this month we released a plan that covered some of the new indicators of compromise (IOC) associated with Black Basta. Our newest emulation continues to build off this latest reporting from SentinelLabs. Black Basta operators have a number of remote access trojan (RAT) tools at their disposal; this installment highlights one of these. Researchers observed the threat actor dropping a self-extracting archive containing the files needed to execute the Netsupport Manager application. Netsupport Manager is a multi-platform remote access/remote support tool that can provide one-to-many support, such as that typically used by IT Managed Service Providers (MSPs). Black Basta stages these files in C:\temp, with a self-extracting executable name of Svvhost.exe. When the file is executed, the installation files are extracted into C:\Users\[USER]\AppData\Roaming\MSN\. The Netsupport Manager RAT is then executed via a run.bat script.

    ‍

    We begin by creating the staging directory and downloading the Svvhost.exe file.

    Next we emulate extraction of the files to C:\Users\[USER]\AppData\Roaming\MSN\ and execute the run.bat script.

    ‍

    The run.bat script consists of the following commands which allow Netsupport Manager to execute and run at startup.

    ‍

    ‍

    Clean-up steps are included after a 3 minute delay to stop the process, delete the registry key, and remove the created directories and associated files inside.

    Detection Opportunities

    ‍

    Step Request SIGMA Rule(s) Author(s)
    Step Number Request SIGMA Rule(s) Author(s)
    6 downloader --src β€œVFS://shared/threats/BlackBasta/Svvhost.exe” --dest β€œC:\temp\Svvhost.exe” Creation of an Executable by an Executable frack113
    7 run C:\temp\Svvhost.exe -y -gm2 -o”%USERPROFILE%\AppData\Roaming\MSN\” Suspicious In-Memory Module Execution Perez Diego (@darkquassar), oscd.community, Jonhnathan Ribeiro
        Creation of an Executable by an Executable frack113
    8 run %USERPROFILE%\AppData\Roaming\MSN\run.bat Use of NetSupport Remote Access Software frack113
        Suspicious In-Memory Module Execution Perez Diego (@darkquassar), oscd.community, Jonhnathan Ribeiro
        Reg Add RUN Key Florian Roth
        Execution of NetSupport RAT From Unusual Location Nasreddine Bencherchali
        Direct Autorun Keys Modification Victor Sergeev, Daniil Yugoslavskiy, oscd.community
        CurrentVersion Autorun Keys Modification Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)

    ‍

    -SCYTHE AES Team 

    ‍

    This post discusses active research by SCYTHE and other cited third parties into an ongoing threat.  The information in this post should be considered preliminary and may be updated as research continues. This information is provided β€œas-is” without any warranty or condition of any kind, either express or implied.

    ‍

    References:

    ‍

    Kristen Cotten
    Post by Kristen Cotten
    December 15, 2022

    Comments