Qbot and Black Basta joined forces to establish new TTPs

June 13, 2022
Qbot Black Basta Hackers TTPs

The Qbot hacking group and the Black Basta ransomware have joined forces to gain initial access to numerous targets such as corporate environments. Qbot is notorious for stealing banking credentials and Windows domain and launching additional payloads.

Researchers have reported the ongoing partnership between the two groups after the traces of them were found present in a recent incident. In addition, the researchers have identified multiple tricks, techniques, and procedures used by both adversaries in the attack.

A separate researcher indicated that Qbot is commonly used by its operators for initial access to a victim’s device. However, recent research revealed that they also used the Black Basta ransomware to spread laterally across a victim’s network.

 

The campaign mainly focuses on the Qbot infection process, but Black Basta will execute its role after the initial intrusion.

 

The Qbot malware creates a temporary service from afar on the host. It will then configure the host’s network to operate its DLL by utilising an exe coded as regsvr32[.]exe. Upon set up, the malware can compromise network drives and shares and brute-force AD accounts.

The malware uses the SMB to develop copies of itself or distribute itself through default admin shares using current user credentials. In addition, researchers deploying Cobalt Strike beacons spotted the malicious threat actors during the recently monitored attack.

For the evasion tactics, the threat actors deactivate Windows Defender to bypass detection and mitigate the chances of halting the encryption process. The Qbot operators also operate PowerShell commands to develop a GPO on an infected Domain controller that will alter the settings on the Windows Registry.

The joint forces of Qbot and Black Basta appear to be an effective move for their malicious threat attacks. The only downside to this partnership is that the Qbot malware is still multiplied through malicious emails.

Users can still evade the actors’ attacks if they are adept at spotting such threats. Furthermore, organisations that have already subscribed to a threat intelligence service will surely have better protection against these attacks.

About the author