Continuing Social Engineering Campaign Associated with Black Basta Ransomware Operators

Security analysts have discovered an active social engineering campaign targeting enterprises, utilizing spam emails to gain initial access to their networks for subsequent exploitation.

“The incident entails a threat actor inundating a user’s email with spam while also reaching out via phone call, purportedly offering assistance,” explained Rapid7 researchers Tyler McGraw, Thomas Elkins, and Evan McCann.

Rapid7 has detected an ongoing social engineering campaign targeting several managed detection and response (MDR) clients. In this scenario, the threat actor inundates a user’s email with spam and follows up with a phone call, offering assistance. The actor then encourages affected users to install remote monitoring and management software like AnyDesk or use Microsoft’s Quick Assist feature to establish a remote connection. Once connected, the threat actor proceeds to download payloads from their infrastructure to harvest user credentials and maintain persistence on the compromised device.

In one instance, Rapid7 observed the threat actor deploying Cobalt Strike beacons to other devices within the compromised network. While no ransomware deployment was observed in the cases Rapid7 handled, the observed indicators of compromise were previously associated with the Black Basta ransomware operators, as per OSINT and other incident response engagements managed by Rapid7.

The attack chain has also been leveraged to distribute additional remote monitoring and management tools like ConnectWise ScreenConnect, along with a remote access trojan known as NetSupport RAT. Recently, this RAT has been utilized by FIN7 actors in a malvertising campaign.

This development is significant given the suspected affiliations between FIN7 and Black Basta. Initially known for point-of-sale (PoS) malware for financial fraud, FIN7 has transitioned to ransomware operations, either as affiliates or independently under aliases such as DarkSide and BlackMatter.

“After gaining access to the compromised asset, Rapid7 observed the threat actor attempting to deploy Cobalt Strike beacons, camouflaged as a legitimate Dynamic Link Library (DLL) named 7z.DLL, across other assets within the same network using the Impacket toolset,” revealed Rapid7.

Proofpoint has unveiled details of a fresh LockBit Black (also known as LockBit 3.0) ransomware campaign, wherein the Phorpiex (also known as Trik) botnet serves as a conduit for delivering email messages containing the ransomware payload.

The campaign, initiated on April 24, 2024, witnessed the distribution of millions of messages in what appears to be a high-volume operation. At present, the identity of the perpetrators remains unclear.

Researchers from Proofpoint pointed out that the LockBit Black sample observed in this campaign likely originates from the LockBit builder leaked during the summer of 2023. They emphasized that this builder grants threat actors access to proprietary and sophisticated ransomware, and when coupled with the well-established Phorpiex botnet, significantly escalates the scope and potential success of such ransomware attacks.

Found this article interesting? Follow us on X and LinkedIn to read more exclusive content we post.

Leave a Reply

Your email address will not be published. Required fields are marked *