HQ/EMEAFind out how we can help your business
The Black Basta ransomware campaign has taken its social engineering tactics to a new targeted industry, as the group targets Microsoft Teams users.
Reports revealed that these notorious groups are impersonating business IT help desks and calling employees to aid them with an ongoing spam attack. Researchers verified this campaign after a new Black Basta social engineering effort flooded targeted employees’ inboxes with hundreds of emails.
These emails were not hostile and generally contained harmless topics, such as newsletters, sign-up confirmations, and email verifications. However, the purpose of these numerous emails is to act as spam mail that would clog a user’s mailbox.
The Black Basta ransomware group used the deliberately sent spam emails to execute its operation.
According to investigations, the Black Basta ransomware group would then contact the targets who received the bombarded emails and pose as a company-owned IT help department that could assist them with the spam issues.
Once the target accepts the service, the attackers can use verbal communication to execute its social engineering tactic. The operation will deceive the victim into installing the AnyDesk remote assistance utility or granting remote access to their Windows machines by running the Windows Quick Assist remote control and screen-sharing application.
Subsequently, the Black Basta operators would run a script that installs several payloads, including ScreenConnect, NetSupport Manager, and Cobalt Strike, allowing them to maintain remote access to the user’s corporate device.
Once the threat actors receive access to the business network, they can potentially spread laterally to the entire business network, elevate privileges, steal data, and launch a ransomware encryptor.
Researchers have also observed that the Black Basta affiliates have utilised a similar tactic. However, in this instance, the attackers install multiple payloads called “AntispamAccount.exe,” “AntispamUpdate.exe,” and “AntispamConnectUS.exe.”
Finally, the campaign will install Cobalt Strike, which grants its operators access to the compromised device. This process will then aggravate the intrusion into the network.
Enterprises should limit communication with external users in MS Teams and enable trustworthy domains if necessary. These preventive measures can significantly increase the chances of avoiding the new BlackBasta ransomware operation.
