Black Basta is making the news once again as our friends at SentinelLabs released new research tying the operator’s latest activity to the Russian-linked FIN7. Despite being a relatively new player in the ransomware arena, Black Basta quickly gained credibility given their novel tools and techniques. Black Basta ransomware is cross platform, console-based executable affecting both Windows and Linux operating systems. Qakbot malware is often employed by the threat actor both for initial entry or as a payload for lateral movement. SCYTHE previously covered Black Basta for our October #ThreatThursday however these new TTPs in the latest report warrant a revisit.
We’re beginning with another indicators of compromise (IOC) focused plan that covers known domain names and IP addresses being used at the time publication as well as an emulation of the threat actors use of a meterpreter .ps1 stager. As noted in an earlier blog highlighting STEEP#MAVERICK IOCs, we recognize that IP addresses, hash values, and domain names are all easily altered by a threat actor. We still feel that IOC feeds and detections have their place in control validation and are a small piece of the larger control validation and coverage picture. Knowing exactly where you stand and what your controls will and won’t detect is a must in any modern cybersecurity program.
You may check out this latest emulation here!
Detection Opportunities
Step Number |
Request |
SIGMA Rule(s) |
Author(s) |
5 |
run powershell.exe -NoP -NonI -Exec Bypass -File "C:\msf_x64_svc.ps1" |
Use Short Name Path in Command Line |
frack113, Nasreddine Bencherchali |
|
|
Too Long PowerShell Commandlines |
oscd.community, Natalia Shornikova |
|
|
Suspicious PowerShell Parameter Substring |
Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix) |
|
|
Suspicious PowerShell Command Line |
Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp) |
|
|
Suspicious In-Memory Module Execution |
Perez Diego (@darkquassar), oscd.community, Jonhnathan Ribeiro |
|
|
Suspicious Csc.exe Source File Folder |
Florian Roth |
|
|
Non Interactive PowerShell |
Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements) |
|
|
FromBase64String Command Line |
Florian Roth |
|
|
Dynamic C Sharp Compile Artefact |
frack113 |
|
|
Change PowerShell Policies to an Insecure Level |
frack113 |
|
|
Accessing WinAPI in PowerShell |
Nikita Nazarov, oscd.community, Tim Shelton |
This post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.
References: