QBot Black Basta ransomware

To spread laterally through hacked corporate environments, the Black Basta ransomware gang has collaborated with the QBot malware operation. QBot (QuakBot) is a Windows malware that steals bank credentials and Windows domain credentials before delivering additional malware payloads to infected devices.

Victims are typically infected with Qbot through phishing attacks with malicious attachments. Despite its origins as a banking trojan, it has collaborated with numerous ransomware gangs, including MegaCortex, ProLock, DoppelPaymer, and Egregor.

Teams up of Qbot and Black Basta

Black Basta is a relatively new ransomware operation that made a strong start by infiltrating a significant number of enterprises in a short period of time while demanding big ransom payments. During a recent incident response, analysts from the NCC Group identified the new alliance between Qakbot and Black Basta and were able to identify the threat actor’s techniques.

While most ransomware gangs employ QBot to get initial access, the Black Basta gang, according to NCC, used it to expand laterally throughout the network. The virus, in particular, instals a temporary service on the target host and configures it to run its DLL using regsvr32.exe.

Once Qakbot is up and running, it can infect network shares and discs, brute-force AD accounts, or spread via default admin shares using current user credentials via the SMB (Server Message Block) file-sharing protocol.

 “The threat actor’s principal strategy for maintaining their presence on the network was Qakbot. During the compromise, the threat actor was also seen employing Cobalt Strike beacons,” according to the NCC Group’s report.

The researchers also identified a text file named “pc list.txt” in the Windows folder that had a list of internal IP addresses for all systems on the network, which was most likely generated by Qakbot.

Disabling Windows Defender

The Black Basta exhibits the same characteristics that have been detected first reported in a recent attack observed by NCC responders. Modifying the background icon, erasing shadow copies, appending the.basta extension to encrypted files, and establishing a company ID in the ransom notes are all examples of these traits.

However, according to NCC, the threat actors also disable Windows Defender to avoid detection and reduce the odds of the encryption stage failing. The ransomware authors accomplished their goal by using PowerShell commands or by installing a GPO on a hacked Domain Controller to make modifications to the Windows Registry.

Registry changes to disable protection (NCC Group)

Inside hijacked networks, Qakbot may quickly roam around, stealing account credentials and pivoting to nearby workstations. Even so, because the ransomware payload isn’t downloaded right away, there’s always a window of chance for the defenders before disaster strikes.

The trojan has a number of different attack paths, each with its own set of detection opportunities, but they all start with the arrival of a malicious email. As a result, pay special attention to this area, avoiding opening attachments or clicking on embedded links.