Black Basta Ransomware Gang Infiltrates networks via QAKBOT, Brute Ratel, and Cobalt Strike

Tactic / Technique

Notes

TA0001 Initial Access

T1566.001 Phishing: Spear phishing Attachment

Victims receive spear phishing emails with attached malicious zip files – typically password protected or HTML file. That file contains an ISO file.

T1566.001 Phishing: Spear phishing Link

QAKBOT has spread through emails with newly created malicious links.

TA0002 Execution

T1204.001 User Execution: Malicious Link

QAKBOT has gained execution through users accessing malicious link

T1204.002 User Execution: Malicious Link

QAKBOT has gained execution through users opening malicious attachments

T1569.002 System Services: Service Execution

Cobalt Strike can use PsExec to execute a payload on a remote host. It can also use Service Control Manager to start new services

T1059.005 Command and Scripting Interpreter: Visual Basic Script

QAKBOT can use VBS to download and execute malicious files

T1059.007 Command and Scripting Interpreter: JavaScript

QAKBOT abuses Wscript to execute a Jscript file.

TA0003 Persistence

T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

QAKBOT can maintain persistence by creating an auto-run Registry key

TA0004 Privilege Escalation

T1055 Process Injection

QAKBOT can inject itself into processes like wermgr.exe

TA0006 Defense Evasion

T1027.006 Obfuscated Files or Information: HTML Smuggling

Smuggles a file’s content by hiding malicious payloads inside of seemingly benign HTML files.

T1218.010 System Binary Proxy Execution: Regsvr32

QAKBOT can use Regsvr32 to execute malicious DLLs
Cobalt Strike can use rundll32.exe to load DLL from the command line

T1140. Deobfuscate/Decode Files or Information

Initial QAKBOT .zip file bypasses some antivirus detections due to password protections.

T1562.009. Impair Defenses: Safe Boot Mode

Black Basta uses bcdedit to boot the device in safe mode.

TA0007 Discovery

T1010 Application Window Discovery

QAKBOT can enumerate windows on a compromised host.

T1482 Domain Trust Discovery

QAKBOT can run nltest /domain_trusts /all_trusts for domain trust discovery.

T1135 Network Share Discovery

QAKBOT can use net share to identify network shares for use in lateral movement.

T1069.001 Permission Groups Discovery: Local Groups

QAKBOT can use net localgroup to enable the discovery of local groups

T1057 Process Discovery

QAKBOT has the ability to check running processes

T1018 Remote System Discovery

QAKBOT can identify remote systems through the net view command

T1082 System Information Discovery

QAKBOT can collect system information including the OS version and domain on a compromised host

T1016 System Network Configuration Discovery

QAKBOT can use net config workstation, arp -a, and ipconfig /all to gather network configuration information

T1049 System Network Connections Discovery

QAKBOT can use netstat to enumerate current network connections

T1033 System Owner/User Discovery

QAKBOT can identify the username on a compromised system

TA0008 Lateral Movement

T1021 Remote Services: SMB/Windows Admin Shares

Cobalt Strike can use Window admin shares (C$ and ADMIN$) for lateral movement

TA0011 Command and Control

T1071.001 Application Layer Protocol: Web Protocols

QAKBOT can use HTTP and HTTPS in communication with the C&C servers.

T1573. Encrypted Channel

Used by QAKBOT, BRUTEL and Cobalt Strike

TA0040 Impact

T1486. Data Encrypted for Impact

Black Basta uses the ChaCha20 algorithm to encrypt files. The ChaCha20 encryption key is then encrypted with a public RSA-4096 key that is included in the executable.

T1489. Service Stop

Uses sc stop and taskkill to stop services.

T1490. Inhibit System Recovery

Black Basta deletes Volume Shadow Copies using vssadmin tool.

T1491 – Defacement

Replaces the desktop wallpaper to display the ransom note.