UNC4393, which is a threat group primarily known for infecting targets with the Basta ransomware, has over the past year made a major switch in how it gains initial access to victims.
Previously, the threat group almost exclusively relied on existing Qakbot infections for initial access, which were delivered through phishing attacks. However, after the U.S. law enforcement takedown of the Qakbot infrastructure last year, the threat group briefly switched to the DarkGate malware as an initial access loader, before this year turning to a backdoor tracked as SilentNight.
“This most recent surge of SILENTNIGHT activity, beginning earlier this year, has been primarily delivered via malvertising,” said Josh Murchie, Ashley Pearson, Joseph Pisano, Jake Nicastro, Joshua Shilko and Raymond Leong, researchers with Mandiant in a Monday analysis. “This marked a notable shift away from phishing as UNC4393's only known means of initial access.”
Outside of SilentNight, the group has expanded its initial access tactics in other ways. In recent February campaigns, UNC4393 was also seen using stolen credentials and brute-force methods in attacks that both aimed to deploy ransomware or conduct data theft extortion.
SilentNight includes a plug-in framework enabling flexible functionality for attacks, such as screenshot capture capabilities, keylogging, cryptocurrency wallet access and browser manipulation that could allow attackers to target credentials. The backdoor was initially seen in 2019, and then briefly in 2021 for a few months.
Qakbot Takedown Impact
The changes in UNC4393’s initial access vectors show the long-term impacts of the August 2023 takedown of the Qakbot botnet. Qakbot acted as a dropper or installer for many other pieces of malware and ransomware, including ones beyond Basta (also known as Black Basta) like REvil and Conti, and the takedown has had various influences across the threat landscape.
In a report from earlier this year that looked at the impacts of several threat group law enforcement disruptions, for instance, Chainalysis found that the Qakbot takedown did lead to “substantial operational friction” on ransomware group activities, but that they eventually adapted by switching to new malware families. The report found a steep decline in Black Basta ransomware payments around the timeframe of the Qakbot takedown. However, activity appeared to pick up again months later, indicating that threat groups behind Black Basta had pivoted to new malware. Meanwhile, Mandiant researchers said that this year they have seen the victim count for Basta steadily decline between March through July, and “it is plausible that this decline reflects difficulties in obtaining a reliable stream of initial access.”
Genevieve Stark, Mandiant manager of cyber crime analysis for Google Cloud, said that overall, "the professionalization and commoditization of cyber crime underground communities has created resilience, allowing threat actors to seamlessly replace one service/partner with another."
"Since the August 2023 law enforcement takedown, threat actors that have previously distributed QAKBOT have largely shifted to using other malware families or discontinued operations," said Stark. "For example, while we observed limited UNC2500 QAKBOT activity in early 2024, the threat actor has most frequently been deploying PIKABOT. UNC2500 may also be diversifying their operations, given that we have observed May campaigns leading to credential phishing sites and February activity designed to harvest NTLMv2 hashes. Further, while UNC2500 remains active, the volume of their activity has declined. UNC2633, a QAKBOT distribution cluster that was closely affiliated with UNC2500, has seemingly been inactive since the takedown."
Changes to UNC4393 TTPs
Beyond the initial access shifts, UNC4393's changes this year to its tactics, techniques and procedures (TTPs) show the group's adaptability within the cyber crime landscape. The group has transitioned toward more custom malware development as opposed to its previous reliances on publicly available tools, for instance. Overall, Mandiant researchers said they responded to over 40 separate UNC4393 intrusions across 20 industry verticals since 2022 - which is still a small amount of the overall number of victims - 500 - that the ransomware group claims on its leak site to have hit.
“While UNC4393's TTPs and monetization methods remain relatively consistent from previous operations, the group appears to be diversifying its initial access sources,” according to researchers. “Its evolution from opportunistic QAKBOT infections to strategic partnerships with initial access brokers demonstrates a willingness to diversify and optimize its operations.”