BlackBasta ransomware planking through QBot: Security breach detected

During the latter part of Q4 2022, ReliaQuest detected a security breach in a customer’s system. This foothold took hold in 77 minutes, although taken care of but found its base on QBot.

QBot, a banking trojan, can be used for lateral movement, detection evasion and debugging, and installing additional malware on compromised machines.

According to Reliaquest: “On September 29, 2022, we detected malicious activity after the deployment of Cobalt Strike Beacon and remote management software in a customer’s environment. The attacker achieved initial access via a phishing email delivered to end-user inboxes—having slipped past an overly permissive security solution.”

Destructive allies

Qbot, also known as QakBot, is a type of malware that is designed to steal sensitive information from infected computers, including login credentials, banking information, and other personal data. It is often distributed through phishing emails, malicious websites, or exploit kits.

#Ransomware group #BlackBasta is hunting for vulnerable #healthcare systems in the U.S.

Improve your #cybersecurity, minimize your risk:
• Keep a secure data backup.
• Keep your tech updated.
• Be careful when opening email.
• Invest in anti-ransomware solutions.#DeerBrook

— Deer Brook Consulting (@DeerBrookCyber) March 17, 2023

BlackBasta is a specific command and control (C2) server used by the Qbot malware. The malware uses the BlackBasta C2 server to receive instructions and updates from the attackers and to send stolen data back to the attackers.

Qbot is known for its sophisticated evasion techniques, such as using encryption and obfuscation to evade detection by anti-virus software. Once it infects a system, it can spread throughout the network and cause significant damage to organizations.

Kill chain details

Initial Access: The phishing email that granted initial access was delivered on 26 Sep 2022. The attachment to the message was named REF#6547_SEP_28.HTML, which was rightly detected by Office 365 management as malicious: It was smuggling a ZIP file onto the targeted network, to deliver a QBot implant. The email’s content prompted the recipient to look at the attached file and approve its content.

Execution: Execution was achieved by HTML smuggling. Upon opening the HTML file in an email client, the user was asked to download it locally. After they did so and opened the HTML file in a browser, an encoded JavaScript binary large object (BLOB) surfaced. The BLOB then constructed and automatically downloaded a ZIP file to the user’s disk.

Command-and-Control: At this point, the threat actor pivoted from the QBot C2 channel to their newly established C2 channel provided by the Cobalt Strike beacon. It was an HTTPS beacon that communicated with its team server located at 194.165.16[.]95, similar to other QBot campaigns of RaaS affiliates

https://twitter.com/VxThreat_RMON/status/1637552676018724864

Credential Access: It was achieved after the threat actor used the Data Protection Application Programming Interface (DPAPI) to interact with a credential key for an account; DPAPI is used to protect personal data on the local system, including user credentials.

“We also identified the attacker making use of a networking scanning tool later during this intrusion. The attacker was seen using the tool NETSCAN.EXE, which can scan hosts within the network for accessible network shares—another tool known to be used by Conti affiliates.”

Resilience to ransomware attacks

Steps you can take to avoid being impacted by QBot or ransomware activity by Reliaquest are as follows.

1. Harden perimeter security to restrict company assets from making arbitrary connections to the internet. This may be accomplished through a firewall or proxy configuration. This will minimize malware and command-and-control (C2) activity.
2. Limit the use of remote-access software: This software is one of the most common methods for cybercriminals—notably initial access brokers (IABs) and ransomware operators—to gain access to targeted networks. 
3. Disable ISO mounting: ISO Mounting is increasingly being used as a method of bypassing anti-virus and endpoint detection tools. Consider disabling ISO mounting by adding the registry key referenced below, which removes the context menu for users when right-clicking.

Ending note

Ransomware attacks have become prevalent with economic crises and digital technology. To keep them at bay it is best to follow the 3-2-1 rule in your organization for backup. This means keeping three backup copies, in two mediums and one store off-site. Backing your data with cloud and physical storage could also be a help. 

But most importantly, keeping yourself vigilant is what digital security demands! Stay safe and know more to be safe!