Black Basta Ransomware Group Linked to New Malware Campaign

August 15, 2024

Rapid7 researchers have identified a new social engineering campaign that is distributing the SystemBC dropper to the Black Basta ransomware operation. On June 20, 2024, the researchers observed multiple attacks that align with an ongoing social engineering campaign under their surveillance.

The researchers noted a significant change in the tools employed by the threat actors in these recent incidents. The attack sequence starts with the threat actors launching an email attack and then attempting to contact the targeted users, often through Microsoft Teams, to propose a counterfeit solution. They deceive users into installing AnyDesk, which enables them to remotely control the victims' computers.

During the attack, the cybercriminals deploy a credential harvesting tool named AntiSpam.exe, which masquerades as a spam filter updater. This tool prompts users to input their credentials, which are subsequently stored or logged for future use. The attackers used a variety of payloads that match their initial lure, including SystemBC malware, Golang HTTP beacons, and Socks proxy beacons.

The researchers detected the use of an executable named update6.exe, designed to exploit the vulnerability CVE-2022-26923 for privilege escalation. The report published by Rapid7 states, “When executed, update6.exe will attempt to exploit CVE-2022-26923 to add a machine account if the domain controller used within the environment is vulnerable.” The researchers also noted the use of reverse SSH tunnels and the Level Remote Monitoring and Management (RMM) tool for lateral movement and maintaining access.

The SystemBC payload in update8.exe is dynamically retrieved from an encrypted resource and directly injected into a child process with the same name. The original SystemBC file is encrypted with an XOR key, and this key is revealed due to the encryption of padding null bytes between PE sections.

To mitigate the threat, the researchers recommend blocking all unapproved remote monitoring and management solutions. Tools such as AppLocker or Microsoft Defender Application Control can prevent all unapproved RMM solutions from executing within the environment. The report also provides Indicators of Compromise for this campaign.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.