Sentinel Labs found evidence linking the Black Basta ransomware gang to the financially motivated hacking group FIN7.
Security researchers at Sentinel Labs shared details about Black Basta’s TTP and assessed that the ransomware operation is likely linked to FIN7.
Experts analyzed the tools used by ransomware gangs in their attacks, some of which are custom tools, including EDR evasion tools. SentinelLabs believes that the developers of these EDR circumvention tools are or were the developers of the FIN7 gang.
Further evidence linking the two includes the IP addresses and specific TTPs (policies, techniques and procedures) used by FIN7 in early 2022 and seen in the actual Black Basta attack a few months later.
Black Basta has been active since April 2022, and like other ransomware operations, it implements a dual ransomware attack model.
FIN7, on the other hand, is an economically motivated Russian organization that has been active since at least 2015. It focuses on deploying POS malware and launching targeted spear-phishing attacks on global organizations.
Analysis by Sentinel Labs shows that Black Basta ransomware operators develop and maintain their own toolkits, and they have only documented cooperation with limited and trusted affiliates.
“SentinelLabs began tracking Black Basta’s operations in early June after noticing overlap between ostensibly distinct cases. Along with other researchers, we noticed that Black Basta infections began with Qakbot via email and macro-based MS Office Documentation, ISO+LNK dropper, and .docx documents exploit MSDTC Remote Code Execution Vulnerability CVE-2022-30190.” Read the report published by the experts. “An interesting initial access vector we observed was an ISO dropper released as “Report Jul 14 39337.iso” that exploits a DLL hijacking in calc.exe.”
The report details Black Basta’s initial access activities, manual reconnaissance, lateral movement, privilege escalation techniques, and remote management tools.
To weaken the security defenses installed on the target machine, Black Basta downloads specific batch scripts to the Windows directory for the installed security solutions.
Threat actors are disabling Windows Defender by executing the following script:
WindowsILUg69ql1.bat WindowsILUg69ql2.bat WindowsILUg69ql3.bat
The attackers also used the same naming convention (ILUg69ql followed by a number) for batch scripts found in different breaches.
powershell -ExecutionPolicy Bypass -command "New-ItemProperty -Path 'HKLM:SOFTWAREPoliciesMicrosoftWindows Defender' -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force" powershell -ExecutionPolicy Bypass -command "Set-MpPreference -DisableRealtimeMonitoring 1" powershell -ExecutionPolicy Bypass Uninstall-WindowsFeature -Name Windows-Defende
The DisableAntiSpyware parameter allows to disable Windows Defender Antivirus to deploy another security solution. DisableRealtimeMonitoring disables real-time protection and then uninstalls Windows Defender using Uninstall-WindowsFeature -Name Windows-Defender.
Experts noted that, starting in June 2022, Black Basta operators deployed custom EDR evasion tools that were not previously documented.
The researchers discovered a custom tool, WindfCheck.exe, which is an executable file containing UPX. The example is a binary compiled with Visual Basic that displays a fake Windows Security GUI and a tray icon with a “healthy” system status even when Windows Defender and other system features are disabled.
In the background, the malware disables Windows Defender, EDR, and antivirus tools before removing the ransomware payload.
The researchers found multiple samples associated with the aforementioned tool, and found that one of the samples contained an unknown wrapper, identified as “SocksBot.” (aka BIRDDOG)’ This is a backdoor used by the FIN7 group since at least 2018, it also connects to C2 IP address 45[.]67[.]229[.]148 belongs to “pq.hosting”, the bulletproof hosting provider used by FIN7 in its operations.
“We assess that the BlackBasta ransomware operation is likely to be linked to FIN7. In addition, we assess that the developers behind its tools, who are or were FIN7 developers, may have weakened the victim’s defenses,” concludes the report. “As we clarify the people behind the elusive Black Basta ransomware operation, we are not surprised to see familiar faces behind this ambitious closed-door operation. Although there are many new faces and various This is a threat, but we want to see new ways for existing professional criminal organizations to maximize illicit profits.”
Follow me on Twitter: @securityaffairs and Facebook
(security affairs – Hacker, FIN7)