Black Basta Gang Uses MS Teams, Email Bombing to Spread Malware

SUMMARY

• Black Basta Campaign Resurgence: Rapid7 researchers report a sophisticated social engineering campaign by the Black Basta ransomware group, refining tactics and targeting organizations globally.

• Enhanced Tactics: Attackers use email bombing, impersonation via Microsoft Teams, and tools like QuickAssist and AnyDesk to gain remote access, bypass MFA, and execute malicious payloads.

• Malicious Tools: Threat actors deploy tools like Zbot and DarkGate for credential harvesting, data exfiltration, and persistence before delivering Black Basta ransomware.

• Improved Payload Delivery: Updated techniques include obfuscation with custom packers, DLL execution via rundll32.exe, and advanced evasion strategies.

• Mitigation Strategies: Organizations should adopt stronger password policies, provide security training, and implement advanced defences to mitigate ransomware threats.

Cybersecurity researchers at Rapid7 have released a new report detailing its investigation of a sophisticated social engineering campaign launched by the infamous Black Basta ransomware group (aka UNC4393), threatening organizations worldwide. 

Researchers have observed a resurgence of activity in relation to Black Basta ransomware operators’ currently ongoing social engineering campaign, first reported in May 2024 and updated in August 2024.

The attackers have now refined their early stages procedures, including new malware payloads, improved delivery, and increased defence evasion, with lures sent via Microsoft Teams.

Reportedly, the campaign begins with email bombing in which a series of emails are sent to overwhelm potential victims, typically achieved by signing up users’ emails to multiple mailing lists simultaneously. Attackers impersonate IT support personnel offering assistance and tricking users into granting remote access to their systems. Microsoft Teams is used to establish initial contact whereas Azure/Entra tenant subdomains and custom domains are utilized as account domains.

Potential targets are tricked into installing/executing remote management tools like QuickAssist, AnyDesk, TeamViewer, Level, or ScreenConnect. Threat actors also use the OpenSSH client to establish a reverse shell, or, share a QR code with the user, probably to bypass MFA (multi-factor authentication) after stealing their credentials.

As soon as they gain access, the attackers deploy a range of malicious tools for credential harvesting, lateral movement, and data exfiltration.  A custom packer is used to obfuscate various payloads, including Zbot, and DarkGate, to steal sensitive information and establish persistence on the system. The ultimate goal, however, is to deploy the Black Basta ransomware itself, to encrypt critical data and demand a ransom payment. 

For your information, DarkGate is a powerful malicious shellcode that can perform a wide range of malicious actions, including stealing information, establishing persistence, and re-infecting compromised machines by establishing a backdoor.

Zloader/Zbot, conversely, is a sophisticated trojan that steals login credentials, credit card information, and personal data, downloads and executes additional malware payloads, establishes persistence on the infected system and communicates with command-and-control servers.

Compared to Rapid7’s previously detected attacks, researchers noted some similarities and some unique approaches in this campaign:

“Rapid7 has observed usage of the same credential harvesting executable, previously reported as AntiSpam.exe, though it is now delivered in the form of a DLL and most commonly executed via rundll32.exe. Whereas before it was an unobfuscated .NET executable, the program is now commonly contained within a compiled 64-bit DLL loader,” the blog post revealed.

To mitigate the risk of such attacks, organizations must improve their security measures, including implementing stronger password protection mechanisms, regular security awareness training for employees, and advanced security solutions.

RELATED TOPICS

1. Telecom Giant BT Group Hit by Black Basta Ransomware
2. Russian Midnight Blizzard Hits MS Teams in Precision Attack
3. Iranian Hackers Target Microsoft 365 with MFA Push Bombing
4. Storm-0324 Exploits MS Teams Chats for Ransomware Attacks
5. Vietnamese DarkGate Malware Targets META Accounts Worldwide

Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.

Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!