QR Codes and Email Assaults: Black Basta Evolves

Introduction

Since early October 2024, the cybercriminal group known as Black Basta has been using new types of malware, including Zbot and DarkGate. They have also changed how they trick people, using different social methods to fool their targets.

You might be interested in: Cyber Security Analyst: What They Do?

Email Bombing and Fake Staff Contacts

Security researchers at Rapid7 found that the attackers often flood a target’s inbox with unwanted emails by subscribing the address to many newsletters. Once the target is overwhelmed by these emails, the attacker then contacts the user directly.

In August, it was seen that the attackers reached out to possible victims on Microsoft Teams, pretending to be from the company’s support or IT department. In some cases, they even acted as if they were part of the target’s own IT team.

Legitimate Remote Access Tools as Defense

People who have to deal with these threats are advised to use trusted remote access tools like AnyDesk, ScreenConnect, TeamViewer, or Microsoft’s Quick Assist. Microsoft is tracking the group behind the abuse of Quick Assist as “Storm-1811.”

Reverse Shells, QR Codes, and Credential Theft

Rapid7 also saw that the group tried to use the OpenSSH client to open a reverse shell for hidden access. They even tried sending a fake QR code through a chat, most likely to steal login information by making it look like the user was adding a secure mobile device. Another security firm, ReliaQuest, believes the QR codes might lead users to harmful websites.

Once the attackers gain remote access (often through tools like AnyDesk), they push more harmful software onto the victim’s device. This includes a custom program to steal login details, followed by the use of Zbot (also called ZLoader) or DarkGate. These tools help attackers move further into the network.

“The attackers’ main goal after getting in is to quickly look around and grab user credentials,” said Tyler McGraw, a Rapid7 researcher. They also try to take VPN files if they can, making it easier for them to break into the network later and get around multi-factor security steps.

Black Basta’s Background and Malware Arsenal

After the Conti ransomware group split in 2022, Black Basta formed and first depended on QakBot to break in. Later, they leaned more on social tricks instead of only using botnets. Also known as UNC4393, they use many types of malware, such as:

  • KNOTWRAP: A memory-only dropper built in C/C++. It can run extra harmful code directly from memory.
  • KNOTROCK: A .NET-based tool used to launch ransomware.
  • DAWNCRY: Another memory-only dropper that unlocks a hidden part of code using a secret key.
  • PORTYARD: A tunneling tool that talks to a hard-coded server through a special binary code.
  • COGSCAN: A .NET tool that scans the network to see which hosts are available.

According to Yelisey Bohuslavskiy from RedSense, Black Basta’s shift from using botnets to mixing in social tricks shows how they adapt over time.

Other Malware Activity in the Ransomware World

Meanwhile, Check Point has studied a newer Rust-based version of Akira ransomware. They note that it relies on ready-made code parts from known software libraries, making it easier for the attackers to produce.

Other ransomware groups also keep changing. For example, a version of Mimic called Elpaco has been used, and Rhysida infections use a tool called CleanUpLoader to help steal data and stay hidden. Often, these threats pretend to be installers for common programs like Microsoft Teams or Google Chrome.

Recorded Future reports that Rhysida sets up fake domains that look like real software download sites. By doing this, they trick users into getting infected files. They use tricks like “SEO poisoning” to rank these fake sites higher in search results, making them seem more trustworthy than they really are.