www.sentinelone.com Open in urlscan Pro
172.67.74.101 Public Scan

Back to summary

Submitted URL:
https://s1.ai/bb-fin7
Effective URL:
https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/
Submission: On April 04 via api (April 4th 2024, 9:14:57 am UTC) from RU — Scanned from DE

Form analysis
6 forms found in the DOM

GET https://www.sentinelone.com

<form autocomplete="off" method="get" action="https://www.sentinelone.com">
  <fieldset>
    <input type="search" name="s" placeholder="Search ..." value="">
    <button class="search" type="submit">
      <img class="lazy icon-search" src="data:image/svg+xml;utf8,<svg xmlns='http://www.w3.org/2000/svg' width='24' height='24'><rect width='100%' height='100%' fill='none'/></svg>" style=""
        data-src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/search-icon-white.svg" alt="Search Icon White" width="24" height="24">
      <img class="lazy icon-down" src="data:image/svg+xml;utf8,<svg xmlns='http://www.w3.org/2000/svg' width='18' height='16'><rect width='100%' height='100%' fill='none'/></svg>" style=""
        data-src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/navigation-close.svg" alt="Navigation Close" width="18" height="16">
    </button>
  </fieldset>
</form>

GET https://www.sentinelone.com/

<form role="search" method="get" class="search-form" action="https://www.sentinelone.com/">
  <label>
    <span class="screen-reader-text">Search ...</span>
    <input type="search" class="search-field" placeholder="Search ..." value="" name="s">
  </label>
  <input type="submit" class="search-submit" value="Search">
</form>

<form id="mktoForm_1985" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); width: 1601px;">
  <style type="text/css"></style>
  <div class="mktoFormRow">
    <div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
      <div class="mktoOffset" style="width: 5px;"></div>
      <div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 0px;">
          <div class="mktoAsterix">*</div>
        </label>
        <div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" placeholder="Business Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
          class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 150px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
        <div class="mktoClear"></div>
      </div>
      <div class="mktoClear"></div>
    </div>
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Employees__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Industry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="AnnualRevenue" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Address" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="City" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="PostalCode" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="SIC_Code2__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Website" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="demandbaseSID" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Phone" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="demandbaseCompany" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="demandbaseCountry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="demandbaseState" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="demandbaseEmployeeRange" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="subIndustry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="dataSource" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="watchListAccountType" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="watchListAccountOwner" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="watchListAccountStatus" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="watchListCampaignCode" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Subscribe</button></span></div>
  <div class="marketo-legal">By clicking Subscribe, I agree to the use of my personal data in accordance with SentinelOne <a href="/legal/privacy-policy/">Privacy Policy</a>. SentinelOne will not sell, trade, lease, or rent your personal data to
    third parties. This site is protected by reCAPTCHA and the <a href="https://policies.google.com/privacy" target="_blank">Google Privacy Policy</a> and <a href="https://policies.google.com/terms" target="_blank">Terms of Service</a> apply.</div>
  <input type="hidden" name="formid" class="mktoField mktoFieldDescriptor" value="1985"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="327-MNM-087">
</form>

<form id="mktoForm_2673" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); width: 1601px;">
  <style type="text/css"></style>
  <div class="mktoFormRow">
    <div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
      <div class="mktoOffset" style="width: 5px;"></div>
      <div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 0px;">
          <div class="mktoAsterix">*</div>
        </label>
        <div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" placeholder="Business Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
          class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 150px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
        <div class="mktoClear"></div>
      </div>
      <div class="mktoClear"></div>
    </div>
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Employees__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Industry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="AnnualRevenue" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Address" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="City" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="PostalCode" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="SIC_Code2__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Website" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="demandbaseSID" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Phone" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="demandbaseCompany" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="demandbaseCountry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="demandbaseState" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="demandbaseEmployeeRange" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="subIndustry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="dataSource" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="watchListAccountType" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="watchListAccountOwner" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="watchListAccountStatus" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="watchListCampaignCode" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Subscribe</button></span></div>
  <div class="marketo-legal">By clicking Subscribe, I agree to the use of my personal data in accordance with SentinelOne <a href="/legal/privacy-policy/">Privacy Policy</a>. SentinelOne will not sell, trade, lease, or rent your personal data to
    third parties. This site is protected by reCAPTCHA and the <a href="https://policies.google.com/privacy" target="_blank">Google Privacy Policy</a> and <a href="https://policies.google.com/terms" target="_blank">Terms of Service</a> apply.</div>
  <input type="hidden" name="formid" class="mktoField mktoFieldDescriptor" value="2673"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="327-MNM-087">
</form>

<form novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form>

<form novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form>

Text Content

*
*

ABOUT
CVE DATABASE
CONTACT
VISIT SENTINELONE.COM

Crimeware

BLACK BASTA RANSOMWARE | ATTACKS DEPLOY CUSTOM EDR EVASION TOOLS TIED TO FIN7
THREAT ACTOR

Antonio Cocomazzi / November 3, 2022

By Antonio Cocomazzi and Antonio Pirozzi

EXECUTIVE SUMMARY

* SentinelLabs researchers describe Black Basta operational TTPs in full
detail, revealing previously unknown tools and techniques.
* SentinelLabs assesses it is highly likely the Black Basta ransomware
operation has ties with FIN7.
* Black Basta maintains and deploys custom tools, including EDR evasion tools.
* SentinelLabs assess it is likely the developer of these EDR evasion tools is,
or was, a developer for FIN7.
* Black Basta attacks use a uniquely obfuscated version of ADFind and exploit
PrintNightmare, ZeroLogon and NoPac for privilege escalation.

OVERVIEW

Black Basta ransomware emerged in April 2022 and went on a spree breaching over
90 organizations by Sept 2022. The rapidity and volume of attacks prove that the
actors behind Black Basta are well-organized and well-resourced, and yet there
has been no indications of Black Basta attempting to recruit affiliates or
advertising as a RaaS on the usual darknet forums or crimeware marketplaces.
This has led to much speculation about the origin, identity and operation of the
Black Basta ransomware group.

Our research indicates that the individuals behind Black Basta ransomware
develop and maintain their own toolkit and either exclude affiliates or only
collaborate with a limited and trusted set of affiliates, in similar ways to
other ‘private’ ransomware groups such as Conti, TA505, and Evilcorp.

SentinelLabs’ full report provides a detailed analysis of Black Basta’s
operational TTPs, including the use of multiple custom tools likely developed
by one or more FIN7 (aka Carbanak) developers. In this post, we summarize the
report’s key findings.

Read the Full Report

BLACK BASTA’S INITIAL ACCESS ACTIVITY

SentinelLabs began tracking Black Basta operations in early June after noticing
overlaps between ostensibly different cases. Along with other researchers, we
noted that Black Basta infections began with Qakbot delivered by email and
macro-based MS Office documents, ISO+LNK droppers and .docx documents exploiting
the MSDTC remote code execution vulnerability, CVE-2022-30190.

One of the interesting initial access vectors we observed was an ISO dropper
shipped as “Report Jul 14 39337.iso” that exploits a DLL hijacking in calc.exe.
Once the user clicks on the “Report Jul 14 39337.lnk” inside the ISO dropper, it
runs the command

cmd.exe /q /c calc.exe

triggering the DLL hijacking inside the calc binary and executing a Qakbot DLL,
WindowsCodecs.dll.

Qakbot obtains a persistent foothold in the victim environment by setting a
scheduled task which references a malicious PowerShell stored in the registry,
acting as a listener and loader.

The powershell.exe process continues to communicate with different servers,
waiting for an operator to send a command to activate the post-exploitation
capability.

When an operator connects to the backdoor, typically hours or days after the
initial infection, a new explorer.exe process is created and a process hollowing
is performed to hide malicious activity behind the legitimate process. This
injection operation occurs every time a component of the Qakbot framework is
invoked or for any arbitrary process run manually by the attacker.

ENTER THE BLACK BASTA OPERATOR

Manual reconnaissance is performed when the Black Basta operator connects to the
victim through the Qakbot backdoor.

Reconnaissance utilities used by the operator are staged in a directory with
deceptive names such as “Intel” or “Dell”, created in the root drive C:\.

The first step in a Black Basta compromise usually involves executing a uniquely
obfuscated version of the AdFind tool, named AF.exe.

cmd /C C:\intel\AF.exe -f objectcategory=computer -csv name cn OperatingSystem dNSHostName > C:\intel\[REDACTED].csv

This stage also often involves the use of two custom .NET assemblies loaded in
memory to perform various information gathering tasks. These assemblies are not
obfuscated and the main internal class names, “Processess” and
“GetOnlineComputers”, provide a good clue to their functions. Black Basta
operators have been observed using SharpHound and BloodHound frameworks for AD
enumeration via LDAP queries. The collector is also run in memory as a .NET
assembly.

For network scanning, Black Basta uses the SoftPerfect network scanner,
netscan.exe. In addition, the WMI service is leveraged to enumerate installed
security solutions.

wmic /namespace:\\root\SecurityCenter2 PATH AntiVirusProduct GET /value
wmic /namespace:\\root\SecurityCenter2 PATH AntiSpywareProduct GET /value
wmic /namespace:\\root\SecurityCenter2 PATH FirewallProduct GET /value

BLACK BASTA PRIVILEGE ESCALATION TECHNIQUES

Beyond the reconnaissance stage, Black Basta attempts local and domain level
privilege escalation through a variety of exploits. We have seen the use of
ZeroLogon (CVE-2020-1472), NoPac (CVE-2021-42287, CVE-2021-42278) and
PrintNightmare (CVE-2021-34527).

There are two versions of the ZeroLogon exploit in use: an obfuscated version
dropped as zero22.exe and a non-obfuscated version dropped as zero.exe. In one
intrusion, we observed the Black Basta operator exploiting the PrintNightmare
vulnerability and dropping spider.dll as the payload. The DLL creates a new
admin user with username “Crackenn” and password “*aaa111Cracke”:

Reversed code for spider.dll

The DLL first sets the user and password into a struct (userInfo) then calls the
NetUserAdd Win API to create a user with a never-expiring password. It then adds
“Administrators” and “Remote Desktop Users” groups to that account. Next,
spider.dll creates the RunTimeListen.exe process, which runs the SystemBC (aka
Coroxy) backdoor, described below.

At this stage, Black Basta operators cover their tracks by deleting the added
user and the DLL planted with the PrintNightmare exploit.

REMOTE ADMIN TOOLS

Black Basta operators have a number of RAT tools in their arsenal.

The threat actor has been observed dropping a self-extracting archive containing
all the files needed to run the Netsupport Manager application, staged in the
C:\temp folder with the name Svvhost.exe. Execution of the file extracts all
installation files into:

C:\Users\[USER]\AppData\Roaming\MSN\

Archive of installation files for Netsupport Manager dropped by Black Basta

The RAT is then executed through a run.bat script.

Content of run.bat script

In other cases, we have observed the usage of Splashtop, GoToAssist, Atera Agent
as well as SystemBC, which has been used by different ransomware operators as a
SOCKS5 TOR proxy for communications, data exfiltration, and the download of
malicious modules.

BLACK BASTA LATERAL MOVEMENT

The Black Basta actor has been seen using different methods for lateral
movement, deploying different batch scripts through psexec towards different
machines in order to automate process and services termination and to impair
defenses. Ransomware has also been deployed through a multitude of machines via
psexec.

In the most recent Black Basta incidents we observed, a batch file named
SERVI.bat was deployed through psexec on all the endpoints of the targeted
infrastructure. This script was deployed by the attacker to kill services and
processes in order to maximize the ransomware impact, delete the shadow copies
and kill certain security solutions.

Partial content of SERVI.bat

IMPAIR DEFENSES

In order to impair the host’s defenses prior to dropping the locker payload,
Black Basta targets installed security solutions with specific batch scripts
downloaded into the Windows directory.

In order to disable Windows Defender, the following scripts are executed:

\Windows\ILUg69ql1.bat
\Windows\ILUg69ql2.bat
\Windows\ILUg69ql3.bat

The batch scripts found in different intrusions also appear to have a naming
convention: ILUg69ql followed by a digit.

powershell -ExecutionPolicy Bypass -command "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force"
powershell -ExecutionPolicy Bypass -command "Set-MpPreference -DisableRealtimeMonitoring 1"
powershell -ExecutionPolicy Bypass Uninstall-WindowsFeature -Name Windows-Defender

According to the official documentation, the DisableAntiSpyware parameter
disables the Windows Defender Antivirus in order to deploy another security
solution. The DisableRealtimeMonitoring is used to disable real time protection
and then Uninstall-WindowsFeature -Name Windows-Defender to uninstall Windows
Defender.

BLACK BASTA AND THE FIN7 CONNECTION

In multiple Black Basta incidents, the threat actors made use of a custom
defense impairment tool. Analysis showed that this tool was used in incidents
from 3rd June 2022 onwards and found exclusively in Black Basta incidents. Based
on this evidence, we assess it is highly likely that this tool is specific to
the Black Basta’s group arsenal.

Our investigation led us to a further custom tool, WindefCheck.exe, an
executable packed with UPX. The unpacked sample is a binary compiled with Visual
Basic. The main functionality is to show a fake Windows Security GUI and tray
icon with a “healthy” system status, even if Windows Defender and other system
functionalities are disabled.

The fake Windows Security GUI WindefCheck.exe

Analysis of the tool led us to further samples, one of which was packed with an
unknown packer. After unpacking, we identified it as the BIRDDOG backdoor,
connecting to a C2 server at 45[.]67[.]229[.]148. BIRDDOG, also known as
SocksBot, is a backdoor that has been used in multiple operations by the FIN7
group.

Further, we note that the IP address 45[.]67[.]229[.]148 is hosted on
“pq.hosting”, the bullet proof hosting provider of choice used by FIN7 when
targeting victims.

We discovered further samples on public malware repositories packed with the
same packer but compiled about two months before the BIRDDOG packed sample.
Unpacking one of these samples revealed it to be a Cobalt Strike DNS beacon
connecting to the domain “jardinoks.com”.

Comparison of the samples suggests that the packer used for the BIRDDOG backdoor
is an updated version of the packer used for the Cobalt Strike DNS beacon.

Left: Cobalt Strike DNS beacon; Right: BIRDDOG backdoor

We assess it is likely the threat actor developing the impairment tool used by
Black Basta is the same actor with access to the packer source code used in FIN7
operations, thus establishing for the first time a possible connection between
the two groups.

UNCOVERING FURTHER TIES BETWEEN BLACK BASTA AND FIN7

FIN7 is a financially motivated group that has been active since 2012 running
multiple operations targeting various industry sectors. The group is also known
as “Carbanak”, the name of the backdoor they used, but there were different
groups that also used the same malware and which are tracked differently.

Initially, FIN7 used POS (Point of Sale) malware to conduct financial frauds.
However, since 2020 they switched to ransomware operations, affiliating to
REvil, Conti and also conducting their own operations: first as Darkside and
later rebranded as BlackMatter.

At this point, it’s likely that FIN7 or an affiliate began writing tools from
scratch in order to disassociate their new operations from the old. Based on our
analysis, we believe that the custom impairment tool described above is one such
tool.

Collaboration with other third party researchers provided us with a plethora of
data that further supports our hypothesis. In early 2022, the threat actor
appears to have been conducting detection tests and attack simulations using
various delivery methods for droppers, Cobalt Strike and Meterpreter C2
frameworks, as well as custom tools and plugins. The simulated activity was
observed months later in the wild during attacks against live victims. Analysis
of these simulations also provided us with a few IP addresses which we believe
to be attributed to the threat actor.

The SentinelLabs full report describes these activities in detail.

ATTRIBUTION OF THE THREAT ACTOR: FIN7

We assess it is highly likely the BlackBasta ransomware operation has ties with
FIN7. Furthermore, we assess it is likely that the developer(s) behind their
tools to impair victim defenses is, or was, a developer for FIN7.

CONCLUSION

The crimeware ecosystem is constantly expanding, changing, and evolving. FIN7
(or Carbanak) is often credited with innovating in the criminal space, taking
attacks against banks and PoS systems to new heights beyond the schemes of their
peers.

As we clarify the hand behind the elusive Black Basta ransomware operation, we
aren’t surprised to see a familiar face behind this ambitious closed-door
operation. While there are many new faces and diverse threats in the ransomware
and double extortion space, we expect to see the existing professional criminal
outfits putting their own spin on maximizing illicit profits in new ways.

Read the Full Report

Crimeware

PDF

ANTONIO COCOMAZZI

Antonio Cocomazzi is a Senior Threat Intelligence Researcher at SentinelOne with
a particular interest in malware analysis. His research focuses on discovering
vulnerabilities and digging into Windows OS internals. Antonio enjoys reversing
any kind of binaries from packed malware to Windows internal components. He
likes playing online CTF and writing offensive tools and security research on
his GitHub channel, mostly based on Windows OS. Antonio has presented previously
at conferences such as Black Hat, Hack In The Box and RomHack.

WIP19 ESPIONAGE | NEW CHINESE APT TARGETS IT SERVICE PROVIDERS AND TELCOS WITH
SIGNED MALWARE

SOCGHOLISH DIVERSIFIES AND EXPANDS ITS MALWARE STAGING INFRASTRUCTURE TO COUNTER
DEFENDERS

SNS SENDER | ACTIVE CAMPAIGNS UNLEASH MESSAGING SPAM THROUGH THE CLOUD

February 15 2024

EXPLORING FBOT | PYTHON-BASED MALWARE TARGETING CLOUD AND PAYMENT SERVICES

January 11 2024

CLOUDY WITH A CHANCE OF CREDENTIALS | AWS-TARGETING CRED STEALER EXPANDS TO
AZURE, GCP

July 13 2023

Search ...

Get notified when we post new content.

Subscribe
By clicking Subscribe, I agree to the use of my personal data in accordance with
SentinelOne Privacy Policy. SentinelOne will not sell, trade, lease, or rent
your personal data to third parties. This site is protected by reCAPTCHA and the
Google Privacy Policy and Terms of Service apply.

Thanks! Keep an eye out for new content!

www.sentinelone.com Open in urlscan Pro 172.67.74.101 Public Scan

Form analysis 6 forms found in the DOM

GET https://www.sentinelone.com

GET https://www.sentinelone.com/

Text Content

www.sentinelone.com Open in urlscan Pro
172.67.74.101 Public Scan

Form analysis
6 forms found in the DOM