HQ/EMEAFind out how we can help your business
The notorious Black Basta ransomware group allegedly orchestrates an ongoing social engineering campaign that uses the SystemBC malware. According to reports, various social engineering operations have had similar malware deployment methods since June.
Experts have seen a significant shift in the tools utilised by threat actors during recent instances.
The malicious operation begins with the most common tactic of threat actors: sending an email bomb. They then try communicating with the targeted people, frequently using Microsoft Teams, to offer a fake solution.
In addition, these attackers lure customers into installing AnyDesk, allowing them to control their PCs remotely.
During the attack, the attackers used AntiSpam.exe, a credential-harvesting malware that poses as a spam filter updater. This utility instructs users to enter credentials, which are subsequently saved or logged by the attackers for future use.
Black Basta utilises SystemBC malware, one of the various payloads they employ in this operation.
The Black Basta ransomware employed a variety of payloads named to match their initial lure, including SystemBC malware, Socks proxy beacons, and Golang HTTP beacons.
Additionally, the researchers discovered that the threat actors used a program named update6.exe to exploit the CVE-2022-26923 flaw and escalate their privileges in the infected system.
The attackers also leveraged reverse SSH tunnels and the Level Remote Monitoring and Management (RMM) tool for lateral movement and access maintenance.
When run, update6.exe will attempt to add a machine account using CVE-2022-26923 if the domain controller in the environment is vulnerable. However, the researchers noted that the source code was likely a copy of Outflank’s publicly available Cobalt Strike module.
Still, the SystemBC payload in update8.exe is dynamically downloaded from an encrypted resource and injected directly into a child process using the same name. The original SystemBC file is encrypted with an XOR key, which is exposed because null bytes between PE sections are padded.
Researchers urge users to ban unapproved remote monitoring and management systems to mitigate or prevent this tactic’s effect. Lastly, AppLocker or MS Defender Application Control can prevent unapproved RMM solutions from running within the environment, so users must employ such tools.
