# Black Basta Ransomware Evolves with Email Bombing, QR Codes, and Social Engineering

Threat Intelligence / Malware

[![Black Basta Ransomware](https://cdn.hashnode.com/res/hashnode/imageupload/v1733768324091/fee24969-68bf-4059-9816-afd7f1d14228.webp)](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgH0ydjAyWCR8V206KFt3hnhnJ5qfA4eM3u86O43eFgPT6tfE1g9ePUrtzgMm3TBaPrCEGSBjKLJYDR-H-GWcXgNtf1fqB29nz1GLU7U2wxVP_0iCXdP4wnJsgvfVI5ntVN0tz8koc-psoNoPzIjNXyV46c7VjdTpVru_wpB0Qi0tJGGmt4c6PjSm_LdiYM/s728-rw-e365/rnsomware.png)

The threat actors linked to the Black Basta ransomware have been observed switching up their [social engineering tactics](https://thehackernews.com/2024/05/ongoing-campaign-bombarded-enterprises.html), distributing a different set of payloads such as [Zbot](https://thehackernews.com/2024/01/new-zloader-malware-variant-surfaces.html) and [DarkGate](https://thehackernews.com/2024/06/darkgate-malware-replaces-autoit-with.html) since early October 2024.

"Users within the target environment will be email bombed by the threat actor, which is often achieved by signing up the user's email to numerous mailing lists simultaneously," Rapid7 [said](https://www.rapid7.com/blog/post/2024/12/04/black-basta-ransomware-campaign-drops-zbot-darkgate-and-custom-malware/). "After the email bomb, the threat actor will reach out to the impacted users."

As [observed](https://thehackernews.com/2024/08/black-basta-linked-attackers-targets.html) back in August, the attackers make initial contact with prospective targets on Microsoft Teams, pretending to be support personnel or IT staff of the organization. In some instances, they have also been observed impersonating IT staff members within the targeted organization.

Users who end up interacting with the threat actors are urged to install legitimate remote access software such as AnyDesk, ScreenConnect, TeamViewer, and Microsoft's Quick Assist. The Windows maker is tracking the cybercriminal group behind the abuse of Quick Assist for Black Basta deployment under the name [Storm-1811](https://thehackernews.com/2024/05/cybercriminals-exploiting-microsofts.html).

[![Cybersecurity](https://cdn.hashnode.com/res/hashnode/imageupload/v1733768324855/f5f6ff6d-0748-4035-a169-c68177526329.png)](https://thehackernews.uk/zerotrust-inside-d)

Rapid7 said it also detected attempts made by the ransomware crew to leverage the OpenSSH client to establish a reverse shell, as well as send a malicious QR code to the victim user via the chats to likely steal their credentials under the pretext of adding a trusted mobile device.

However, cybersecurity company ReliaQuest, which also [reported](https://www.reliaquest.com/blog/black-basta-social-engineering-technique-microsoft-teams/) on the same campaign, theorized the QR codes are being used to direct users to further malicious infrastructure.

The remote access facilitated by the installation of AnyDesk (or its equivalent) is then used to deliver additional payloads to the compromised host, including a custom credential harvesting program followed by the execution of Zbot (aka ZLoader) or DarkGate, which can serve as a gateway for follow-on attacks.

"The overall goal following initial access appears to be the same: to quickly enumerate the environment and dump the user's credentials," Rapid7 security researcher Tyler McGraw said.

"When possible, operators will also still attempt to steal any available VPN configuration files. With the user's credentials, organization VPN information, and potential MFA bypass, it may be possible for them to authenticate directly to the target environment."

Black Basta emerged as an autonomous group from the ashes of Conti in the wake of the [latter's shutdown](https://thehackernews.com/2022/05/conti-ransomware-gang-shut-down-after.html) in 2022, initially leaning on [QakBot](https://thehackernews.com/2022/10/black-basta-ransomware-hackers.html) to infiltrate targets, before diversifying into social engineering techniques. The threat actor, which is also referred to as [UNC4393](https://thehackernews.com/2024/07/vmware-esxi-flaw-exploited-by.html), has since put to use [various bespoke malware families](https://cloud.google.com/blog/topics/threat-intelligence/unc4393-goes-gently-into-silentnight) to carry out its objectives -

*   KNOTWRAP, a memory-only dropper written in C/C++ that can execute an additional payload in memory
*   KNOTROCK, a .NET-based utility that's used to execute the ransomware
*   DAWNCRY, a memory-only dropper that decrypts an embedded resource into memory with a hard-coded key
*   PORTYARD, a tunneler that establishes a connection to a hard-coded command-and-control (C2) server using a custom binary protocol over TCP
*   COGSCAN, a .NET reconnaissance assembly used to gather a list of hosts available on the network

"Black Basta's evolution in malware dissemination shows a peculiar shift from a purely botnet-reliant approach to a hybrid model that integrates social engineering," RedSense's Yelisey Bohuslavskiy [said](https://redsense.com/publications/evolution-of-blackbasta-malware-dissemination/).

[![Cybersecurity](https://cdn.hashnode.com/res/hashnode/imageupload/v1733768325262/5aca2815-e244-407b-bef7-1b311d37cac1.webp)](https://thehackernews.uk/gartner-endpoint-protection-d-v3)

The disclosure comes as Check Point [detailed](https://research.checkpoint.com/2024/inside-akira-ransomwares-rust-experiment/) its analysis of an updated Rust variant of the [Akira](https://thehackernews.com/2024/04/akira-ransomware-gang-extorts-42.html) ransomware, highlighting the malware authors' reliance on ready-made boilerplate code associated with third-party libraries and crates like indicatif, rust-crypto, and seahorse.

Ransomware attacks have also employed a variant of the Mimic ransomware called [Elpaco](https://securelist.com/elpaco-ransomware-a-mimic-variant/114635/), with Rhysida infections also employing [CleanUpLoader](https://thehackernews.com/2024/06/oyster-backdoor-spreading-via.html) to aid in data exfiltration and persistence. The malware is often disguised as installers for popular software, such as Microsoft Teams and Google Chrome.

"By creating typosquatted domains resembling popular software download sites, Rhysida tricks users into downloading infected files," Recorded Future [said](https://www.recordedfuture.com/research/outmaneuvering-rhysida-advanced-threat-intelligence-shields-critical-infrastructure-ransomware). "This technique is particularly effective when coupled with SEO poisoning, in which these domains are ranked higher in search engine results, making them appear as legitimate download sources."

Found this article interesting? Follow us on [Twitter __](https://twitter.com/thehackersnews) and [LinkedIn](https://www.linkedin.com/company/thehackernews/) to read more exclusive content we post.
