| Attribute | Details |
|---|---|
| Threat Actors | Black Basta (also referred to as UNC4393) |
| Campaign Overview | Black Basta ransomware group shifting social engineering tactics, distributing payloads like Zbot and DarkGate since October 2024. |
| Target Regions | Global, targeting organizations across multiple sectors. |
| Methodology | Social engineering, email bombing, remote access deployment, credential theft, and custom malware execution. |
| Product Targeted | User credentials, VPN configuration files, internal networks, compromised hosts. |
| Malware Reference | Zbot (ZLoader), DarkGate, KNOTWRAP, KNOTROCK, DAWNCRY, PORTYARD, COGSCAN |
| Tools Used | AnyDesk, ScreenConnect, TeamViewer, Microsoft Quick Assist, OpenSSH client, custom binary protocol. |
| Vulnerabilities Exploited | Social engineering techniques, compromised remote access tools, stolen VPN configuration files. |
| TTPs | Email bombing, impersonation (Microsoft Teams and IT staff), QR code credential theft, reverse shell deployment, reconnaissance, data exfiltration. |
| Attribution | Black Basta, emerged from Conti shutdown (2022), also known as UNC4393. |
| Recommendations | Implement robust security controls, use multi-factor authentication (MFA), employ endpoint detection and response (EDR) tools, train employees on social engineering awareness. |
| Source | The Hackersnews |
Read full article: https://thehackernews.com/2024/12/black-basta-ransomware-evolves-with.html
Disclaimer: The above summary has been generated by an AI language model
-120x120.jpg)
Leave a Reply