The ransomware operators of Black Basta have enhanced their strategies by utilizing Microsoft Teams to distribute Zbot, DarkGate, and Custom Malware.
In an ongoing social engineering operation, a threat actor overwhelms a user’s mailbox with spam before reaching out to offer assistance.
It was observed by researchers that the threat actors utilized Microsoft Teams as the main platform for initial contact with the target.
If the user engages with the invitation by responding either through a call or message, the threat actor will attempt to convince them to install or run a remote management application, such as QuickAssist, AnyDesk, TeamViewer, Level, or ScreenConnect.
Once a remote connection is established, the threat actor proceeds to download payloads from their own network to acquire the credentials of the affected users and persistently target their resources.
According to a report published by Rapid7 and shared with Cyber Security News, “The primary aim following the initial breach appears to remain consistent: rapidly map out the environment and extract the user’s credentials. Operators will also seek to obtain any accessible VPN configuration files where available.”
“With the acquired credentials, organization’s VPN details, and potential Multi-Factor Authentication bypass, the threat actors may potentially authenticate into the target environment directly.”
Updated Tactics and Malicious Payloads by Threat Actors
Researchers noted that operators were employing distinctive display names on Microsoft Teams, potentially utilizing whitespace characters to pad these names.
By adopting the first and last names of IT employees from the targeted company as chat display names and/or account logins, the threat actors impersonate individuals within the organization.
Using the OpenSSH client, a native Windows utility, the threat actor establishes a reverse shell for malicious purposes.
In one instance, the threat actor provided a targeted user with a QR code, the exact purpose of which is unknown but likely intended to circumvent MFA following the theft of user credentials.
Rapid7 has noted the use of the same credential gathering executable, previously named AntiSpam.exe, now delivered in the form of a DLL and typically executed via rundll32.
The deployment of this same credential-harvesting executable, previously identified as AntiSpam.exe, now comes in the form of a DLL executed by rundll32.
Prior to this, the application was an unobfuscated .NET executable; nowadays, it’s often enclosed within a compiled 64-bit DLL loader.
The most recent versions of the credential harvester now save output to a file named 123.txt in the user’s %TEMP% directory, replacing the previous qwertyuio.txt.
However, preceding versions of the delivered DLL during the campaign would still output data to the older file.
Following the credential harvester, a loader like Zbot (also known as Zloader) or DarkGate is most frequently executed.
This process enhances data theft, serves as an entry for executing forthcoming payloads in memory, or executes other malicious operations.
The modular trojan Zloader, also recognized as Terdot, DELoader, or Silent Night, was created utilizing the leaked Zeus source code.
The loader module in the latest Zloader version underwent significant alterations, including the integration of RSA encryption, an enhancement to the domain generation method, and the initial compilation for 64-bit Windows systems.
DarkGate is a powerful malware toolkit with functionalities for keylogging, remote code execution, privilege escalation, evasion of detection, and data pilfering from web browsers and Discord.
To externally run PowerShell commands, operators were also distributing alternative payload archives containing Cobalt Strike beacon loaders and two Java payloads housing a customized multi-threaded beacon and a variant of a user credential harvester.
In certain cases, operators would transmit a concise command through Teams to the user, which when executed by the target user, triggers an infection sequence.
Recommendations
- Restrict the interaction between external users and internal users via Microsoft Teams as much as possible.
- Ensure consistency in the remote management tools used within the environment.
- Provide users with training on identification of social engineering tactics.
- Establish uniformity in VPN access protocols.
The article “Black Basta Ransomware Leverages Microsoft Teams To Attack Windows Users” was originally published on Cyber Security News.