New analysis of intrusions and tools attributed to the Black Basta ransomware has found some direct ties between the Black Basta actors and the venerable FIN7 cybercrime group, including the use of a backdoor that FIN7 has used in the past.
Black Bast first emerged in April and quickly piled up quite a few victims. The operators have targeted victims in manufacturing, pharmaceuticals, telecommunications, and other industries in the United States, UK, and Canada, and have used a number of different tools and techniques. In some cases, the attackers used email messages laden with malicious attachments that delivered Qakbot. Once the actor has an initial foothold in a new machine, the attacker then connects to the Qakbot backdoor and performs some reconnaissance. In some operations, the actor has exploited known vulnerabilities such as PrintNightmare and ProxyLogon to elevate privileges and then install one of a number of RATs the Black Basta group uses, such as Splashtop or GoToAssist.
In recent operations, researchers at SentinelLabs have observed Black Bast actors deploying various tools to blind security tools and kill some services.
“In the most recent Black Basta incidents we observed, a batch file named SERVI.bat was deployed through psexec on all the endpoints of the targeted infrastructure. This script was deployed by the attacker to kill services and processes in order to maximize the ransomware impact, delete the shadow copies and kill certain security solutions,” SentinelLabs researchers said in a new report published Thursday.
The Black Basta actors also use a custom tool designed to impair defensive tools on the compromised machine, a tool that is packed with an unknown packer.
“In multiple Black Basta incidents, the threat actors made use of a custom defense impairment tool. Analysis showed that this tool was used in incidents from 3rd June 2022 onwards and found exclusively in Black Basta incidents. Based on this evidence, we assess it is highly likely that this tool is specific to the Black Basta's group arsenal,” the SentinelLabs report says.
“Analysis of the tool led us to further samples, one of which was packed with an unknown packer. After unpacking, we identified it as the BIRDDOG backdoor, connecting to a C2 server at 45[.]67[.]229[.]148. BIRDDOG, also known as SocksBot, is a backdoor that has been used in multiple operations by the FIN7 group.”
There is a strong likelihood that FIN7, or some current or former member of the group, is collaborating with the Black Basta team.
FIN7 is one of the more notorious and active cybercrime groups of the past decade, Also known as Carbanak, the group is notorious for deploying point-of-sale malware and has victimized some large companies, including Chipotle and Arby’s. The group often uses the Carbanak backdoor, but also employs a range of other tools, some of which are unique to their operations. The SentinelLabs team said that there is a strong likelihood that FIN7, or some current or former member of the group, is collaborating with the Black Basta team.
“At this point, it’s likely that FIN7 or an affiliate began writing tools from scratch in order to disassociate their new operations from the old. Based on our analysis, we believe that the custom impairment tool described above is one such tool,” the report says.
“We assess it is highly likely the BlackBasta ransomware operation has ties with FIN7. Furthermore, we assess it is likely that the developer(s) behind their tools to impair victim defenses is, or was, a developer for FIN7.”
Black Basta emerged in the chaotic time when the Conti operators were shutting down their operation and other ransomware-as-a-service offerings were taking up the slack. The Black Basta actors favor the double-extortion model in which they not only demand a ransom to decrypt locked files but also threaten to publish stolen sensitive data unless the victim pays a separate ransom. It’s an ugly and highly effective business model, unfortunately.