Black Basta Develops Custom Malware in Wake of Qakbot Takedown

The enormously successful Black Basta ransomware group has pivoted to using new custom tools and initial access techniques as part of a shift in strategy in the wake of last year's takedown of the Qakbot botnet.

The evolution of the group, which has compromised more than 500 victims and counting, demonstrates the resilience of threat groups who have had to shift tactics on the fly due to law enforcement and other disruptions, yet still somehow continue to flourish in their cybercriminal operations, experts said.

Black Basta's initial claim to fame was its prolific use of Qakbot, which it distributed via sophisticated and evolving phishing campaigns. As an initial access Trojan, Qakbot could then deploy a host of publicly available open source tools and ultimately the gang's namesake ransomware. However, about a year ago, the Qakbot botnet was largely put out of commission (though it has since reappeared) in a federal law-enforcement campaign called Operation Duck Hunt, forcing the group to find new modes of access to victim infrastructure.

Initially, Black Basta continued to use phishing and even vishing to deliver other types of malware, such as Darkgate and Pikabot, but quickly began seeking alternatives to conduct further malicious activity, researchers from Mandiant revealed in a blog post this week.

The group, which Mandiant tracks as UNC4393, has now settled into a "transition from readily available tools to custom malware development as well as [an] evolving reliance on access brokers and diversification of initial access techniques" in recent attacks, Mandiant researchers wrote in the post.

'SilentNight' Resurgence

One of the new methods for initial access involves the deployment of a backdoor called SilentNight, which the group used in 2019 and 2021, respectively, before putting it on the shelf until last year. Earlier this year, the group began using it again in malvertising efforts, the researchers said, marking "a notable shift away from phishing," which previously was the “only known means of initial access,” they wrote in the post.

SilentNight is a C/C++ backdoor that communicates via HTTP/HTTPS and may utilize a domain generation algorithm for command and control (C2). It has a modular framework that allows for plug-ins to provide "versatile functionality, including system control, screenshot capture, keylogging, file management, and cryptocurrency wallet access," the researchers wrote. It also targets credentials through browser manipulation.

Once Black Basta gains access to target environments, the group uses a combo of living-off-the-land (LotL) techniques and an assortment of custom malware for persistence and lateral movement before deploying ransomware, the researchers found.

"UNC4393's goal is to gather as much data as quickly as possible followed by exfiltration of the collected data to engage in multi-faceted extortion, leveraging the threat of data leakage to pressure victims into paying ransom demands," the researchers noted.

Custom Tools to Optimize Attacks

One of the first new tools deployed after gaining initial access is called Cogscan, which seems to have replaced open source tools previously used by the group, such as Bloodhound, Adfind, and PSNmap to help map out victim networks and identify opportunities for either lateral movement or privilege escalation.

Cogscan is a .NET reconnaissance tool used to enumerate hosts on a network and gather system information, and is internally referred to as "GetOnlineComputers" by Black Basta itself, the researchers observed.

Another notable new tool that allows Black Basta to speed up its deployment of ransomware is Knotrock, a .NET-based utility. Knotrock creates a symbolic link on network shares specified in a local text file; after creating each symbolic link, Knotrock executes a ransomware executable and provides it with the path to the newly created symbolic link.

"Ultimately, Knotrock serves a dual purpose: it assists the existing Basta encryptor by providing network-communication capabilities, and streamlines operations by proactively mapping out viable network paths, thereby reducing deployment time and accelerating the encryption process," the Mandiant researchers wrote.

The malware represents an evolution in UNC4393's operations in that it boosts its capabilities "by expediting the encryption process to enable larger-scale attacks and significantly decreasing its time to ransom," they noted.

Other new tools observed in recent attacks include tunneling technology for command-and-control (C2) communications dubbed Portyard, and a memory-only dropper that decrypts an embedded resource into memory called DawnCry, the researchers said.

Black Basta: A Significant Threat Remains

Changes to Black Basta’s initial access and tooling demonstrate a "resilience" in the group that shows it will continue to remain a threat against "organizations of all sizes," even if it’s moving away from phishing, which is one of the most successful forms of cybercrime, one security expert noted.

"Given the success of this gang, there's no doubt they have a considerable amount of funds stocked away in their war chest, allowing them to develop their own tools and improve their ability to attack," says Erich Kron, security awareness advocate at security firm KnowBe4.

Indeed, Black Basta’s ability to adapt and innovate in its use of new tools and techniques means that defenders, too, also must be proactive and fortify their security measures with the latest technology and threat intelligence available, the Mandiant researchers said.

Defensive measures for organizations Kron recommends include "employee education and training to counter social engineering; strong data loss prevention controls to keep data from being stolen; a good endpoint detection and response system that can possibly spot and stop attempts to encrypt files from infected computers; and immutable and tested backups to allow for quick recovery in the event of system encryption."