Recent assaults were carried out by the threat actors responsible for the Black Basta ransomware family. It saw the use of the Qakbot trojan to deliver the Brute Ratel C4 framework as a second-stage payload.

Security company Trend Micro stated in a technical investigation published last week that the move marks the first time the emerging adversary simulation software is being distributed via a Qakbot infestation.

The intrusion required the deployment of Cobalt Strike for lateral movement and was accomplished utilizing a phishing email with a weaponized link leading to a ZIP archive.

Although these useful tools are intended for doing penetration tests, the ability to grant remote access has made them a valuable weapon in the hands of attackers seeking to covertly probe the infected environment without drawing attention to themselves for doing so.

This has been made worse by the fact that a cracked version of Brute Ratel C4 started to circulate among cybercriminals last month, which led the software’s developer to alter the licencing mechanism to make it more difficult to crack.

The Attack Method

Information thief and banking trojan Qakbot, also known as QBot and QuackBot, has been around since 2007. However, its modular structure and capacity to serve as a downloader have made it a desirable target for dispersing further infections.

Trend Micro claimed the ZIP attachment contains an ISO file, which has an LNK file that retrieves the Qakbot payload. That demonstrates attempts by threat actors to adapt to new strategies in the wake of Microsoft’s decision to automatically block macros in web-downloaded documents.

Black Basta Ransomware

Before recovering Brute Ratel and Cobalt Strike from the Qakbot infection, built-in command line utilities. These include arp, ipconfig, nslookup, netstat, and whoami are used to conduct automated reconnaissance.

Although it is believed that the threat actor’s ultimate goal may have been the deployment of ransomware throughout the entire domain. The attack was stopped before any destructive action could be performed by the threat actor.

The cybersecurity firm discovered another Qakbot execution chain in which the ZIP file is supplied using the increasingly common technique. It is known as HTML smuggling, leading to the second-stage execution of Brute Ratel C4.

Qakbot execution

The Black Basta Ransomware group is linked to the Qakbot-to-Brute Ratel-to-Cobalt Strike murder chain, according to the researchers. This is based on infrastructure and overlapping TTPs found in Black Basta assaults

The findings are consistent with a recent rise in Qakbot assaults using a range of tactics, including email thread hijacking, DLL side-loading, and email attachments. The latter involved gathering emails in bulk from successful ProxyLogon attacks against Microsoft Exchange servers.

IcedID Actors Diversify Delivery Methods

Since Emotet, IcedID, and Bumblebee campaigns have followed comparable trajectories. The Qakbot is far from the only access-as-a-service malware that is increasingly transmitted via ISO. And other file formats to get around macro restrictions.

In late September 2022, Palo Alto Networks Unit 42 reported finding a malicious polyglot Microsoft Compiled HTML Help (CHM) file. The file was being used to spread the IcedID (also known as BokBot) malware.

The use of password-protected ZIP files containing an ISO file that is identical to that of Qakbot. The payload is transmitted through a pay-per-installer service known as PrivateLoader. The PrivateLoader has been another prominent means of distribution and infection paths, according to Team Cymru.

Top of all, according to a series of tweets from ESET, Emotet looks to be getting ready for new attacks. After a brief three-month pause to update its “systeminfo” module to “better target specific victims. And distinguish tracking bots from actual users.”

According to Jean-Ian Boutin, director of threat research at ESET, “we have not detected new spam waves from Emotet since July.” “I don’t see why that is,”

Perhaps this new module indicates that they are testing modules. And will be active again in the near future, although this is obviously guesswork. They have taken breaks in the past, but never for that long.