Blog by: Alex Oudenaarden, Noël Keijzer & Patrick van Looy

Intro

Recently our CERT observed an increase in ransomware attacks using the Black Basta ransomware. We received the first notifications of victims from this ransomware group towards the end of April, which seems to be in line with when mentions of the malware first appeared on Twitter. In this blog, we combine the knowledge gained from research on the samples we encountered and those uploaded publicly to disseminate knowledge on this emerging threat actor.

Methods

In this section, we describe the methods used by the Black Basta threat actors using the IN-THROUGH-OUT framework we introduced in our earlier blogs. We show how the threat actors obtained access to networks and highlight their techniques for reconnaissance and lateral movement. Furthermore, we explain how they exfiltrated data and rolled out ransomware within the networks.

IN

In the cases we observed, the ransomware group obtained access to the victim’s network through a phishing campaign. When victims opened the attachment of the phishing email, a malicious excel document containing macros dropped Qbot (also known as Qakbot) malware. For more information on Qbot campaigns, check our previous blog here.

THROUGH

After obtaining initial access, the threat actor typically attempts to perform reconnaissance of the environment using AdFind. As an alternative for AdFind, the threat actor uses a PowerShell script to do the reconnaissance. This script (see below) creates a CSV file containing a list of all workstations within the active directory, listing the system name, Operating System, AD description, last logon time, ipv4 IP address, the guardian information of the workstation, and the primary group of the workstation.

ppp.ps1

$so = New-Object System.DirectoryServices.DirectorySearcher; $so.filter = "(&(samAccountType=805306369))"; $so.FindAll()
| Select -Property @{N='Name'; E={$_.properties.samaccountname}},@{N='OS'; E={$_.properties.operatingsystem}},
@{N='Descr'; E={$_.properties.description}},
@{N='LastTime'; E={; [datetime]::FromFileTime($_.properties.lastlogontimestamp -as [string]).ToString('yyyy-MM-dd HH:mm')}},
@{N='IP'; E={$_.properties.ipv4address}},@{N='ManagedBy'; E={$_.properties.managedby}},
@{N='primarygroup'; E={$_.properties.primarygroup}}
| Export-csv ccccOUT.csv -encoding utf8

Interestingly, TrueSec also observed this script and other parts of the modus operandi of the threat actor in attacks with Conti ransomware.

After obtaining an overview of all systems in the network, the threat actor typically pings critical servers within the network to see if they are up and running.

After that, the threat actor places a cobalt strike beacon on the initial access system before moving laterally within the network. The threat actor uses SMB and HTTP cobalt strike beacons for lateral movement.

In two of the attacks we investigated, we found evidence of the threat actor using SystemBC to set up a proxy to the victim’s network, presumably to run specific reconnaissance tools from their own infrastructure. This behaviour also revealed the originating hostname “VULTR-guest”, indicating that the threat actors likely host their infrastructure at Vultr.

During the lateral movement process, the threat actor compromises several vital accounts, most likely through the built-in Mimikatz functionality of Cobalt Strike.

Before starting the OUT phase, the threat actor uses net.exe to change the passwords of several domain accounts with administrative privileges in the network.

OUT

After obtaining complete control over the environment, the threat actor uses Rclone to exfiltrate sensitive data from victims’ networks to one of its private servers located in Russia.

Subsequently, the threat actor disables the antivirus solutions on systems in the network, using either batch scripts deployed via WMI or a group policy. Northwave identified two batch scripts used by the threat actor. We observed the first batch script in multiple attacks containing the functionality to disable Defender Antispyware and real-time monitoring and uninstall Windows defender, as shown below.

ILUg69sql.bat

powershell -ExecutionPolicy Bypass -command "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force"
powershell -ExecutionPolicy Bypass -command "Set-MpPreference -DisableRealtimeMonitoring 1"
powershell -ExecutionPolicy Bypass Uninstall-WindowsFeature -Name Windows-Defender

Northwave identified a second batch file in one case, where the threat actor used it to disable Symantec Endpoint protection on systems in the network.

smujEqe27H.bat

start smc -stop

Lastly, the threat actor uses WMI to deploy ransomware within the network. Simultaneously, the threat actor connects to the ESXi hosts of the victim over SSH and starts encryption on the hypervisor level as well, as shown below.

After starting encryption on the hypervisor level, the threat actor returns several times throughout the night to ensure that the encryption runs appropriately, as seen below.

Ransomware

In every ransomware attack, the final stage involves encrypting the actual data of the victim. Hence, the threat actors eventually drop a binary in the victim’s environment containing the ransomware. Interestingly, for BlackBasta, we observed three different builds of the ransomware used in a timeframe of approximately three weeks. Firstly, one build contains extended evasion functionality. Secondly, another build attempts to include many methods described above into a single command-line argument (-bomb). Finally, a minimal build is just possessing the core encryption functionality. We describe the three different builds in more detail in the sections below.

Evasion Build

What sets this build apart is its inclusion of a novel detection evasion method and its requirement to run as an administrator. In addition, this build comes packed with code that allows it to act as a standard executable and a service, essentially functioning as a service installer. It does this by opening a handle to the “Fax” service and calling ControlService() with the SERVICE_CONTROL_STOP command on it. After waiting for the service to stop, it uses the GetServiceDisplayName API to obtain the display name for the opened service and save it for later use.

NOTE: The name for the service to impersonate is generated separately from the function that does the impersonating. This might imply that the string is set as part of a configuration and could see a change in future releases.

After stopping the service and taking its name, it will delete it to create a new service with the same name in its place. Only this time, the executable that gets linked to the service is the ransomware binary itself (see below).

After registering the ransomware binary with the service manager, it will start preparing the system for a reboot in safe boot mode, probably to evade certain antivirus products. Additionally, it ascertains that the service can get started in safe boot mode before preparing the computer for a reboot by setting the required registry key itself:

It then enables booting in safe boot network mode using one of the following commands:

  • C:\Windows\SysNative\bcdedit.exe /set safeboot network
  • C:\Windows\System32\bcdedit.exe /set safeboot network
  • bcdedit /set safeboot network

After that, the malware reboots the pc by issuing the shell command “/C shutdown -r -f -t 0”.

What happens next is that when the computer reboots, it will boot in safe boot mode. During the boot sequence, the service manager starts the services set to start automatically, including the ransomware, and will call their ServiceMain function. In case of the ransomware, this function contains the actual core ransomware functionality. We will get into this a little bit later.

Automation Build

The most commonly seen build. This build took a much more straightforward approach to evasion, relying on a packer to scan for signs of dynamic analysis tooling to evade capture. In addition, it attempts to automate some of the steps for the network-wide distribution of ransomware. From all the samples we analysed, this one was the only one to come with a packer.

The packer takes three steps before activating the ransomware:

  • A very extensive (20+ checks) anti-analysis check
  • The loading and decrypting of a base64 encoded payload
  • The injecting of the payload

The injection step creates a new process using itself as the target executable and injects the decrypted ransomware payload into it. During analysis, it became apparent that there are many similarities between the packer’s functionalities and those described in a 2014 Blackhat paper. Therefore, the threat actor may have taken the code or reimplemented the techniques described in this paper.

NOTE: One interesting side-effect of this packer is that the command line passes a particular string (“OMC_BC”) to the new process. Perhaps the developers were unaware of this.

Another feature this build has over the minimal build is the inclusion of command-line argument handling logic. Most likely implemented using a command-line argument parser library, it implements a very robust way of checking for two arguments: -forcepath, -bomb.

The first iterations of the medium build that we observed only included support for the -forcepath argument, but recently we have been seeing a yet to be publicly documented new parameter: -bomb.

While we have not seen the threat actor use it in practice, in theory, it allows them to run the ransomware on all domain connected workstations by just running the ransomware binary once. Hence, this new functionality automates some essential steps the threat actor used to execute manually, as described in the Methods section above.

The automatic ransomware distribution is accomplished by connecting to the AD using the windows LDAP API and iterating over all workstations using the filter string (samAccountType=805306369):

With this list of workstations, it will attempt to copy itself onto the remote machines at \\c$\\Windows\\tmp.exe.

Afterwards, it will use a COM object, again not unfamiliar to Conti, IWbemClassObject (CLSID: 4590F812-1D3A-11D0-891F-00AA004B2E24). Using the Win32_Process object from the IWbemServices interface, it sets up command line parameters for a call to the Create method to execute the previously copied executable (c:\Windows\tmp.exe).

Minimal build

The minimal build is a build that comprises only the very fundamentals needed to execute the ransomware attack. While the evasion and automation build extends this build with new functionality, this build makes zero effort to employ fancy techniques or hide anything.

The only functionality present in this binary, besides the encryption loop itself, is associating an .ico file with the .basta file extension and changing the desktop wallpaper to the following:

Additionally, it attempts to delete the shadow copies using the following command:

  • C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet

The encryption loop itself uses ChaCha20 to encrypt the files and a 4096 byte RSA public key to encrypt the symmetric key. In addition, for each folder, it sets the following exclusions:

  • $Recycle.Bin
  • Windows
  • Documents and Settings
  • Local Settings
  • Application Data

For each file, it checks the following filename exclusions:

  • OUT.txt
  • readme.txt
  • dlaksjdoiwq.jpg
  • NTUSER.DAT
  • fkdjsadasd.ico

If the folder is not in the above list, it will drop a readme.txt file instructing the user how to recover its files:

Conclusion

New face, old tricks. Having emerged recently, this threat actor is still rapidly developing its new crypter. But, while they might be using a newly developed crypter, it is evident that the operators behind this threat are anything but new to the world of cybercrime. Therefore, we will be tracking this potential rebrand as they update their crypter and develop new methods for delivering payloads.

Need Help?

Do you need help with a cyber incident now? Our NW-CERT is available 24*7 to help you recover quickly and securely from any cyber incident. Talk to one of our incident response coordinators directly by calling +31 850 437 909.

Northwave is a Dutch Cybersecurity company headquartered in Utrecht (the Netherlands), with a subsidiary in Leipzig (Germany) and Brussels (Belgium). Northwave obtained a license from the Dutch Ministry of Justice and Security to conduct private investigations into (cyber) incidents. Northwave’s Computer Emergency Response Team (NW-CERT) members are certified as private investigators and possess extensive experience in digital forensics and cybersecurity. With hundreds of cases yearly, the NW-CERT has gained a vast experience in incident response and crisis management. For more info about the NW-CERT, visit the website.

IOCs

Value
Type
Description
AA5E31C1BCC77A93D5757A9DE592A290559AF12891A6B1E58E3F27BDA1E356C3 SHA256 Hash of C:\windows\ILUg69ql.bat
CAACFA38248C32873BBBF787A486023249EAD916FD9C38EA38E6205892123596 Sha256 Hash of C:\Windows\smujEqe27H.bat
AAEDFB9DFAECD21A468A5752856C59520CD73259293C8E767A9786459F39F5D8 Sha256 Hash of C:\Windows\RunTimeListen.exe
C:\Windows\RunTimeListen.exe File SystemBC executable
C:\Windows\smujEqe27H.bat File Batch file used to disable symantec endpoint protection
C:\Windows\ILUg69ql.bat File Batch file used to turn off windows defender
C:\Windows\pclist.txt File File containing list of ip addresses belonging to systems in the victims network
C:\users\public\vKrFZ0LTctJsTLW.xls File DLL file disguised as xls, contained a backdoor
ppp.ps1 File Powershell script for reconnaissance of the environment
adfind.exe File ADFind executable
sv.exe File Rclone executable
\\.\pipe\npfs_65 Pipe Named pipe used by Cobalt Strike beacon
\\.\pipe\halfduplex_03 Pipe Named pipe used by Cobalt Strike beacon
176.124.221.130 IP Data exfiltration Server
23.106.215.197 IP Cobalt strike C2
23.106.160.188 IP Cobalt strike C2
172.105.88.234:4001 IP:Port Ip and port used by SystemBC executable
148.64.96.100:443 IP:Port Qbot C2
76.70.9.169:2222 IP:Port Qbot C2
5.54.53.124:995 IP:Port Qbot C2
67.209.195.198:443 IP:Port Qbot C2
78.169.246.124:443 IP:Port Qbot C2
5.32.41.45:443 IP:Port Qbot C2
39.44.206.162:995 IP:Port Qbot C2
103.246.242.202:443 IP:Port Qbot C2
175.145.235.37:443 IP:Port Qbot C2
202.134.152.2:2222 IP:Port Qbot C2
111.125.245.118:995 IP:Port Qbot C2
75.99.168.194:61201 IP:Port Qbot C2
47.156.131.10:443 IP:Port Qbot C2
172.115.177.204:2222 IP:Port Qbot C2
81.129.112.49:2078 IP:Port Qbot C2
85.246.82.244:443 IP:Port Qbot C2
38.70.253.226:2222 IP:Port Qbot C2
47.23.89.60:993 IP:Port Qbot C2
89.211.179.247:2222 IP:Port Qbot C2
31.215.69.176:443 IP:Port Qbot C2
117.248.109.38:21 IP:Port Qbot C2
37.186.54.254:995 IP:Port Qbot C2
217.164.118.38:1194 IP:Port Qbot C2
39.44.66.76:995 IP:Port Qbot C2
39.52.34.134:995 IP:Port Qbot C2
217.165.109.72:993 IP:Port Qbot C2
74.14.5.179:2222 IP:Port Qbot C2
217.164.118.38:2222 IP:Port Qbot C2
79.129.121.68:995 IP:Port Qbot C2
39.49.75.160:995 IP:Port Qbot C2
37.34.253.233:443 IP:Port Qbot C2
196.203.37.215:80 IP:Port Qbot C2
82.152.39.39:443 IP:Port Qbot C2
217.128.122.65:2222 IP:Port Qbot C2
41.230.62.211:995 IP:Port Qbot C2
120.150.218.241:995 IP:Port Qbot C2
186.90.153.162:2222 IP:Port Qbot C2
124.40.244.118:2222 IP:Port Qbot C2
2.50.4.57:443 IP:Port Qbot C2
24.178.196.158:2222 IP:Port Qbot C2
91.177.173.10:995 IP:Port Qbot C2
187.207.131.50:61202 IP:Port Qbot C2
69.14.172.24:443 IP:Port Qbot C2
45.241.139.60:993 IP:Port Qbot C2
217.165.176.49:2222 IP:Port Qbot C2
32.221.224.140:995 IP:Port Qbot C2
70.46.220.114:443 IP:Port Qbot C2
45.63.1.12:995 IP:Port Qbot C2
144.202.2.175:995 IP:Port Qbot C2
140.82.63.183:995 IP:Port Qbot C2
144.202.3.39:995 IP:Port Qbot C2
149.28.238.199:995 IP:Port Qbot C2
45.76.167.26:443 IP:Port Qbot C2
149.28.238.199:443 IP:Port Qbot C2
140.82.63.183:443 IP:Port Qbot C2
144.202.3.39:443 IP:Port Qbot C2
144.202.2.175:443 IP:Port Qbot C2
45.76.167.26:995 IP:Port Qbot C2
45.63.1.12:443 IP:Port Qbot C2
173.174.216.62:443 IP:Port Qbot C2
179.145.13.69:32101 IP:Port Qbot C2
108.60.213.141:443 IP:Port Qbot C2
140.82.49.12:443 IP:Port Qbot C2
1.161.104.31:995 IP:Port Qbot C2
93.48.80.198:995 IP:Port Qbot C2
197.92.141.144:443 IP:Port Qbot C2
176.67.56.94:443 IP:Port Qbot C2
208.107.221.224:443 IP:Port Qbot C2
174.69.215.101:443 IP:Port Qbot C2
1.161.104.31:443 IP:Port Qbot C2
197.89.20.168:443 IP:Port Qbot C2
76.25.142.196:443 IP:Port Qbot C2
182.191.92.203:995 IP:Port Qbot C2
72.27.86.98:443 IP:Port Qbot C2
45.46.53.140:2222 IP:Port Qbot C2
173.21.10.71:2222 IP:Port Qbot C2
73.151.236.31:443 IP:Port Qbot C2
187.172.219.103:443 IP:Port Qbot C2
189.146.87.77:443 IP:Port Qbot C2
82.41.63.217:443 IP:Port Qbot C2
187.208.122.226:443 IP:Port Qbot C2
190.252.242.69:443 IP:Port Qbot C2
189.223.134.157:443 IP:Port Qbot C2
101.50.67.212:995 IP:Port Qbot C2
70.51.135.90:2222 IP:Port Qbot C2
72.252.157.93:990 IP:Port Qbot C2
72.252.157.93:993 IP:Port Qbot C2
189.203.149.155:22 IP:Port Qbot C2
100.1.108.246:443 IP:Port Qbot C2
72.252.157.93:995 IP:Port Qbot C2
40.134.246.185:995 IP:Port Qbot C2
63.143.92.99:995 IP:Port Qbot C2
177.139.44.173:32101 IP:Port Qbot C2
24.55.67.176:443 IP:Port Qbot C2
24.139.72.117:443 IP:Port Qbot C2
177.133.210.218:443 IP:Port Qbot C2
179.158.105.44:443 IP:Port Qbot C2
47.157.227.70:443 IP:Port Qbot C2
201.172.23.68:2222 IP:Port Qbot C2
187.16.64.193:2222 IP:Port Qbot C2
92.132.172.197:2222 IP:Port Qbot C2
86.195.158.178:2222 IP:Port Qbot C2
106.51.48.170:50001 IP:Port Qbot C2
31.35.28.29:443 IP:Port Qbot C2
102.182.232.3:995 IP:Port Qbot C2
90.120.65.153:2078 IP:Port Qbot C2
94.36.191.129:2222 IP:Port Qbot C2
80.11.74.81:2222 IP:Port Qbot C2
190.79.204.80:2222 IP:Port Qbot C2
180.129.108.214:995 IP:Port Qbot C2
101.109.172.254:443 IP:Port Qbot C2
84.241.8.23:32103 IP:Port Qbot C2
41.84.242.8:443 IP:Port Qbot C2
210.246.4.69:995 IP:Port Qbot C2
89.86.33.217:443 IP:Port Qbot C2
109.12.111.14:443 IP:Port Qbot C2
152.0.12.24:443 IP:Port Qbot C2
39.41.148.211:995 IP:Port Qbot C2
41.215.150.246:995 IP:Port Qbot C2
67.69.166.79:2222 IP:Port Qbot C2
121.234.221.213:2222 IP:Port Qbot C2
67.165.206.193:993 IP:Port Qbot C2
191.34.192.119:443 IP:Port Qbot C2
79.80.80.29:2222 IP:Port Qbot C2
172.114.160.81:995 IP:Port Qbot C2
188.161.200.40:995 IP:Port Qbot C2
75.99.168.194:443 IP:Port Qbot C2
186.106.192.46:443 IP:Port Qbot C2
189.253.111.196:443 IP:Port Qbot C2
81.215.196.174:443 IP:Port Qbot C2
41.38.167.179:995 IP:Port Qbot C2
46.107.48.202:443 IP:Port Qbot C2
78.101.139.15:6883 IP:Port Qbot C2
59.93.93.37:443 IP:Port Qbot C2
2.50.137.23:443 IP:Port Qbot C2
2.34.12.8:443 IP:Port Qbot C2
181.208.248.227:443 IP:Port Qbot C2
103.116.178.85:995 IP:Port Qbot C2
121.7.223.45:2222 IP:Port Qbot C2
41.228.22.180:443 IP:Port Qbot C2
120.61.2.124:443 IP:Port Qbot C2
89.137.52.44:443 IP:Port Qbot C2
72.66.116.235:995 IP:Port Qbot C2
125.168.47.127:2222 IP:Port Qbot C2
72.76.94.99:443 IP:Port Qbot C2
103.107.113.83:443 IP:Port Qbot C2
113.89.6.31:995 IP:Port Qbot C2
203.122.46.130:443 IP:Port Qbot C2
197.165.163.159:995 IP:Port Qbot C2
68.204.7.158:443 IP:Port Qbot C2