malware.news Open in urlscan Pro
2606:4700:20::681a:769  Public Scan

Form analysis
1 forms found in the DOM

POST /login

<form id="hidden-login-form" method="post" action="/login" style="display: none;">
  <input name="username" type="text" id="signin_username">
  <input name="password" type="password" id="signin_password">
  <input name="redirect" type="hidden">
  <input type="submit" id="signin-button" value="Log In">
</form>

Text Content

Skip to main content

Log In
 * 
 * 
   



RELIAQUEST UNCOVERS NEW BLACK BASTA SOCIAL ENGINEERING TECHNIQUE

Malware News


You have selected 0 posts.

select all

cancel selecting

Oct 25
1 / 1
Oct 25

5d ago

MalBot
5d



WHAT HAPPENED?

In October 2024, ReliaQuest responded to an alert for Impacket activity. During
the investigation, we discovered a wider trend: a campaign of escalated social
engineering tactics originally associated with the ransomware group “Black
Basta.”

Their previous approach involved overwhelming users with email spam, prompting
them to create a legitimate help-desk ticket to resolve the issue. The attacker
would then contact the end user, posing as the help desk, to respond to the
ticket.

In more recent incidents, attackers have advanced their tactics by using
Microsoft Teams chat messages to communicate with targeted users and
incorporating malicious QR codes to facilitate initial access.

The underlying motivation is likely to lay the groundwork for follow-up social
engineering techniques, convince users to download remote monitoring and
management (RMM) tools, and gain initial access to the targeted environment.
Ultimately, the attackers’ end goal in these incidents is almost certainly the
deployment of ransomware.

This rapidly escalating campaign poses a significant threat to organizations.
The threat group is targeting many of our customers across diverse sectors and
geographies with alarming intensity. The sheer volume of activity is also
unique; in one incident alone, we observed approximately 1,000 emails bombarding
a single user within just 50 minutes. Due to commonalities in domain creation
and Cobalt Strike configurations, we attribute this activity to Black Basta with
high confidence.


TACTIC SHIFT—LATE OCTOBER 2024

In incidents during late October 2024, we observed the following changes in
Black Basta’s tactics, techniques, and procedures (TTPs):


USE OF MICROSOFT TEAMS CHATS:

1. After mass email spam events, the targeted users were added to Microsoft
Teams chats with external users. These external users operated from Entra ID
tenants they created to pose as support, admin, or help-desk staff.

2. The following tenants were observed with the following naming convention
“*.onmicrosoft.com”. Examples we have seen so far include:

 * securityadminhelper.onmicrosoft[.]com
 * supportserviceadmin.onmicrosoft[.]com
 * supportadministrator.onmicrosoft[.]com
 * cybersecurityadmin.onmicrosoft[.]com

3. These external users set their profiles to a “DisplayName” designed to make
the targeted user think they were communicating with a help-desk account. In
almost all instances we’ve observed, the display name included the string “Help
Desk,” often surrounded by whitespace characters, which is likely to center the
name within the chat. We also observed that, typically, targeted users were
added to a “OneOnOne” chat.

What you can do: When hunting within your own environment for similar activity,
we recommend searching for Teams display names that feature strings of this
nature, rather than just searching for direct matches.

4. Upon investigation, we found that the actions of the external users generally
originated from Russia, with the time zone data logged by Teams regularly
featuring Moscow.


RMM SHIFT/QR CODES

In recent incidents, we have also observed the threat actors enticing targeted
users to use QuickAssist for the “support” sessions, not just AnyDesk.
Additionally, targeted users were sent QR codes within these chats, masquerading
as legitimately branded company QR code images.

1. Threat actors are using domains like the following for this QR-code phishing
activity:

 * qr-s1[.]com
 * qr-s2[.]com
 * qr-s3[.]com
 * qr-s4[.]com

2. In each attack, the subdomains of these domains are tailored to match the
targeted organization. For example: companyname.qr-s1[.]com.

3. We’ve also observed the creation of more generic subdomains, likely used to
target non-specific individuals, rather than specific organizations. An example
of a less specific subdomain is: l1ve.qr-s1[.]com (note the use of “1” in place
of “l”).

4. This pattern follows our observations from previous Black Basta campaigns,
where the group used domain naming conventions such as, upd7, upd7a, upd10,
upd10a.

5. The exact start date of the threat actor’s use of QR codes is unclear.
However, we tracked the domain details to find older domains created in early
October that follow the same naming convention. This suggests they were almost
certainly created by the same threat actor with the intention of using QR codes.
This indicates that the threat actor likely started using or was planning to use
this approach since early October.

6. It is still unclear what the QR codes are specifically being used for. It is
realistically possible that the codes direct users to further malicious
infrastructure.


BLACK BASTA EMAIL SPAM CAMPAIGN

We have observed several advertisements on the dark web offering email spam
services, which are commonly sold for approximately $10–500. Owing to the
tactic’s simplicity and low cost, even the least technically sophisticated
actors can easily utilize these services.

After spamming end users with emails, attackers followed up with a voice-over-IP
phishing (vishing) phone call. During this call, they would attempt to convince
the user to download an RMM tool and allow the attacker access to the user’s
host.
Notably, two users were contacted via Teams chat messages by external emails
from the domains supportadminstrator.onmicrosoft[.]com and
supportserviceadmin.onmicrosoft[.]com. The attacker posed as a help-desk member
and convinced one of the users to download AnyDesk under the guise of stopping
the email spam.

Using AnyDesk, the attacker then accessed the users’ computers and installed
malicious files. These files were named to appear as anti-spam programs, such as
“AntispamAccount.exe,” “AntispamUpdate.exe,” and “AntispamConnectUS.exe.” The
attacker downloaded the files within five minutes of running AnyDesk. The file
“AntispamAccount.exe” accessed the Local Security Authority Service (LSASS),
indicating it was used to collect user credentials on the compromised host. In
addition, file “AntispamConnectUS.exe” generated network traffic to hundreds of
other internal hosts, likely to discover additional resources on the network.

Successful execution of these files led to Cobalt Strike beaconing to domains
such as companymartec[.]com and hessetechnology[.]com. The threat actor likely
created these domains to masquerade as legitimate organizations within specific
industries. Following this, the Impacket module “secretsdump.py” was run, likely
to capture Kerberos password hashes for lateral movement.

The activity was identified and quickly contained and remediated at this stage
in the attack, preventing the attack from progressing further in the kill chain.


EMAIL AND TEAMS SPAM: WHAT THEY HAVE IN COMMON

Observing the indicators associated with the Teams and email spam, we can
identify the following insights.


COMMONALITY IN SPAM EMAILS:

 * The domains used are primarily old and related to e-commerce, finance, or
   service offerings.
 * The email addresses are typically from automated systems or services that
   send confirmations or notifications (e.g., noreply@domain[.]com,
   subscription@domain[.]com, support@domain[.]com, help@domain[.]com,
   marketing@domain[.]com).


COMMON EMAIL SUBJECTS:

The subject lines of these emails are often similar and include:

 * “Your account has been created”
 * “Welcome to XYZ”
 * “Thank you for registering”
 * “Please verify your email”
 * “Special offer for you”


HOW RELIAQUEST IS COUNTERING THIS THREAT

We’ve been actively monitoring the evolution of Black Basta’s TTPs. In
particular, we are watching closely for external chat events from unusual
locations, especially those with display names like “Help Desk” from suspicious
external tenants.

We are also continuously tracking the creation of Cobalt Strike domains and
adding them to our threat feeds, and monitoring the creation of subdomains
associated with QR code phishing. As these subdomains are tailored to match
targeted organizations, this gives us a near-real-time view of which
organizations and sectors are being targeted.


RECOMMENDATIONS

To safeguard your networks from these threats, we recommend blocking identified
malicious domains and subdomains.

 * To mitigate against tactics involving Microsoft Teams and QR code phishing,
   organizations should disable communication from external users within Teams
   to prevent unwanted chat messages from reaching end users.
 * When communication with external users is necessary, specific trusted domains
   can be allowlisted. Additionally, setting up aggressive anti-spam policies
   within email security tools can prevent spam from inundating end users’
   inboxes.
 * Ensuring that logging is enabled for Teams, particularly the ChatCreated
   event, will facilitate detecting and investigating such activities.
 * Microsoft Teams accounts impersonating IT help desks typically have their
   names set to “Help Desk.” This string is often surrounded by whitespace
   characters, likely to center the name within chats. When searching for these
   accounts, organizations should search for “contains,” rather than a direct
   match.
 * The post-exploitation activities linked to these tactics, such as Impacket
   abuse and the deployment of Cobalt Strike beacons, are neither new nor
   unexpected. Existing detection rules and security tools are well-prepared to
   address these threats, enabling organizations to respond effectively to these
   tactics.


CONCLUSION

This campaign is still evolving, with Black Basta demonstrating their ability to
rapidly adapt their TTPs, likely to thwart defenders and buy themselves more
time in networks to further their attacks. While their initial access methods
have changed, their post-exploitation activities are likely to remain consistent
with previously observed patterns, which are covered by existing security tools
and detections rules.

ReliaQuest provides a comprehensive suite of detection rules designed to
identify Black Basta activity, enhancing customer resilience against the threat
group’s evolving TTPs.

There has been a significant rise in ransomware actors using social engineering
techniques to gain unauthorized access to sensitive systems and data. Many of
these techniques likely leverage native-English speakers, allowing for more
convincing and sophisticated phishing messages, therefore significantly raising
the likelihood of successfully deceiving targets.

To defend against these threats, organizations should ensure employees remain
vigilant against current social engineering tactics by providing ongoing
training and awareness programs that highlight the latest attacker threats and
techniques. This vigilance should be paired with a robust defense-in-depth
strategy, incorporating multiple layers of security measures such as firewalls,
intrusion detection systems, and regular security audits. This approach will
help identify and neutralize potential suspicious activity before it can cause
any harm. By combining informed and alert employees with comprehensive security
protocols, organizations can significantly reduce the risk of successful social
engineering attacks and safeguard their critical assets.

Article Link: ReliaQuest Uncovers New Black Basta Social Engineering Technique -
ReliaQuest 3







Reply



NEW & UNREAD TOPICS

Topic Replies Views Activity What goes great with SLSA? Sonatype
Malware News
0 206 Dec 2023 XZ Utils Backdoor Vulnerability (CVE-2024-3094): Comprehensive
Guide
Malware News
0 463 Apr 8 VMWare security advisory (AV24-070)
Malware News
0 236 Feb 6 Shift-Left Security: Integrate SAST into DevSecOps Pipeline
Malware News
0 236 Feb 18 The essential duo of SCA and SBOM management
Malware News
0 955 Apr 12


WANT TO READ MORE? BROWSE OTHER TOPICS IN MALWARE NEWS OR VIEW LATEST TOPICS.




Powered by Discourse




Invalid date Invalid date