Mandiant saw UNC4393, the main operator of BASTA ransomware, change from using QAKBOT to get started to making its own malware and using more attack methods after QAKBOT was shut down.
It is responsible for over 40 intrusions across multiple industries, including a recent expansion into healthcare, demonstrating adaptability and a growing threat to organizations worldwide.
UNC4393 is the primary actor behind the BASTA ransomware, leveraging QAKBOT infections for initial access. Unlike typical RaaS models, BASTA operates with a highly exclusive affiliate structure, focusing on acquiring access rather than recruiting distributors.
Despite rapid operational tempo and a large victim count, BASTA is attributed to a single, tightly knit group, UNC4393, with a distinct subgroup, UNC3973, demonstrating unique TTPs.
It has been observed that UNC4393 is deploying a complex malware toolset. BASTA, a C++ ransomware, encrypts files and deletes shadow copies, while SYSTEMBC, a C tunneler, acts as a proxy for C2 communication.
KNOTWRAP, a C/C++ memory-only dropper, executes embedded payloads, while KNOTROCK, a.NET utility, creates symbolic links for BASTA to target.
DAWNCRY, a memory-only dropper, deploys a DAVESHELL loader. PORTYARD, a tunneler, establishes a TCP connection between C2 and a relay server. COGSCAN, a.NET reconnaissance tool, gathers network host information.
UNC4393, a financially motivated threat group, has shifted its initial access tactics. Previously relying on phishing to deliver QAKBOT, they’ve recently switched to malvertising campaigns distributing the SILENTNIGHT backdoor, a C/C++ tool with functionalities like credential theft and system control.
After gaining access, they use a combination of legitimate tools (DNS beacons) and custom malware (DAWNCRY dropper leading to PORTYARD tunneler) to establish persistence, communicate with C2 servers, and potentially deploy ransomware.
It leverages open-source tools like BLOODHOUND, ADFIND, and PSNMAP for initial network reconnaissance and privilege escalation by employing a custom .NET tool, COGSCAN, to gather system information and enumerate hosts, storing it and other tools in public or Windows folders.
UNC4393 mostly uses SMB BEACON and RDP for lateral movement, and it prefers WMI-based remote execution, as shown by how quickly the BASTA encryptor was set up.
Persistence mechanisms have shifted from RMM tools to SYSTEMBC and now PORTYARD tunnellers. To bypass antivirus, UNC4393 has abused certutil to download malware like SILENTNIGHT.
According to Google, it aggressively exfiltrates data using RCLONE disguised as system utilities for multi-faceted extortion. Initially deploying BASTA ransomware manually, they later introduced KNOTROCK to automate and accelerate encryption.
Despite relying on ransomware, the group often abandons attacks upon encountering failures, potentially due to resource constraints, but this does not guarantee future immunity, as re-targeting of previous victims has been observed.