Threat Emulation: Black Basta

Intro

Welcome to the October 2022 SCYTHE #ThreatThursday! This edition features an emulation based on Black Basta ransomware. 

Executive Summary

Black Basta is back on the radar again this fall after a rise in Qakbot malware distribution was observed. Qakbot is a common initial entry and lateral movement tool used by the Black Basta ransomware group. Black Basta is cross platform, affecting both Windows and Linux operating systems and attacks seem to be targeting U.S. based organizations in the construction and manufacturing industries. The group leverages a double-extortion technique and hosts a Tor site where they post the names of all their victims that have not yet paid the ransom. Based on similarities in tactics, techniques, and procedures there is speculation that Black Basta is not a new operation, but a faction that may include former Conti operators.

Cyber Threat Intelligence

Profile: 

Black Basta is a relatively new ransomware group first discovered in April 2022 that leverages double-extortion as a part of its attacks. Despite being relatively new to the scene, reports indicate that at least 20 victims were posted to the group’s leak site within the first two weeks of operation. This suggests experienced operators with a reliable source of initial entry. It follows that there is speculation of Black Basta being a rebrand of Conti or a rogue faction of Conti.

This group has been observed to use Qakbot as both an initial point of entry and as a payload for lateral movement. The Black Basta ransomware itself is a console-based executable that can only be executed with administrator privileges. It supports use of a -forcepath command line argument to only encrypt files in a specific directory if desired. The malware spawns a mutex to ensure a single instance is running at a time as it iterates through to encrypt files and add the .basta extension.

An interesting method of persistence employed by Black Basta ransomware is to hijack a legitimate service by deleting it, and then re-creating a new malicious service with the same name (use of the Fax service has been observed in the wild). The ransomware also makes additional modifications to the registry to ensure the malicious service is running after a reboot into safe mode.

Aliases: 

N/A

Targets:

Black Basta has been observed to primarily target U.S. based organizations in the construction and manufacturing industries. Black Basta ransomware is written in C++ and affects both Windows and Linux operating systems. In June 2022, researchers reported a VMware ESXi variant that targeted virtual machines running on Linux servers.

Objectives:

• Data encryption
• Data exfiltration
• Financial profit

Capabilities:

Attack

Automated Emulation

We begin by performing several queries to obtain the current state of certain keys and settings. These values can be referenced later during clean-up to restore the initial state.

We include a step which sets a scheduled task to kill the process spawned after we execute rdpclip.exe. This scheduled task is an artifact of emulation and is not intended to be used in detection engineering. This task is deleted after a 4 minute delay. Execution of rdpclip.exe is used to emulate the threat actor’s use of RDP in the campaign.

Next, some basic reconnaissance steps are performed:

We then download and run both rdp.bat and b.bat which modify the firewall to allow for remote administration and RDP.

We then modify the desktop background by adding a dlaksjdoiwq.jpg file to C:\Temp and creating the registry key HKCU\Control Panel\Desktop. Additional registry keys are also created to change the icon of encrypted files to fkdjsadasd.ico.

The next steps emulate an interesting persistence mechanism where a legitimate service (Fax in this instance) is hijacked and a new malicious service with the same name created. An additional registry key is also added to enable the malicious Fax service to run in safe mode. We have omitted the step where the malware reboots the device into safe mode. In an actual attack, due to the changes made earlier, the device would reboot into safe mode with the malicious Fax service running. The service would then execute the ransomware again, triggering the steps for data encryption.

The following commands create a list of computers on the 192.x.x.x network that will be used when the Invoke-TotalExec script is executed. This powershell script will attempt to use PsExec to make a connection to each IP address in the ip_list.txt file to install and execute its malware.

The following steps emulate data encryption and tagging of the files with the .basta extension. At the conclusion of the threat a README.txt file is dropped.

Clean-up Steps are included to remove the downloaded files and new registry keys.

‍

Detection Opportunities

‍

Respond

If any of the alerts are detected in the environment, the response team should determine the depth of the Kill Chain, collect artifacts, and answer the following questions:

• Was the installation successful?

• What are the persistent mechanisms?

• Is Command & Control (C2) successful?

• What are the domain names, IP addresses, ports, and protocols used?

• Are there observations of Actions on Objectives (AOO)?

• What are they?
• Did the actor laterally move?
• Was sensitive data taken?

• Usernames, Passwords, Other?

• What caused the initial compromise?

• How was it delivered?
• What was exploited?

• Vulnerability, Control, Human?

Once it has been determined how deep the intrusion goes, containment, eradication, and recovery should begin.  After recovery, lessons learned should drive additional courses of action (COAs) to thwart the threat should it return, such as implementing additional security controls. As always, please follow your organization's response plan and evidence retention policies. We also recommend leveraging NIST SP 800-61 Rev. 2.

‍

This Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing threat.  The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.

About the Authors

Jake Williams and Kristen Cotten of SCYTHE’s CTI team contributed to this report and the creation of the threat emulation.

About SCYTHE

SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors.

References

• https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/
• https://www.avertium.com/resources/threat-reports/in-depth-look-at-black-basta-ransomware
• https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html
• https://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html
• https://minerva-labs.com/blog/new-black-basta-ransomware-hijacks-windows-fax-service

‍