Black Basta Uses Microsoft Teams to Deliver Ransomware Payloads

Black Basta ransomware operators have intensified their social engineering campaign in October 2024. Initially reported in May 2024, the attackers have continuously evolved their tactics. 

Recent updates include using Microsoft Teams for lure delivery and employing new malware payloads. The latest phase of the campaign involves refined social engineering procedures, advanced malware, and enhanced defense evasion techniques.

Threat actors are using social engineering to target users via Microsoft Teams, as they impersonate IT staff and trick users into installing remote management tools (RMM) or running malicious programs. 

A QR code sent by an operator.

Once gaining access, they steal credentials, potentially VPN configurations, and deploy further payloads like credential harvesters or ransomware, which are often delivered through compromised SharePoint sites, file sharing platforms, or directly uploaded via RMM tools. 

The attackers keep updating their tactics and tools, including a custom packer to obfuscate malware by actively iterating their attack methods, as evidenced by versioned payload archives. 

Using sophisticated social engineering techniques, the threat actors launch attacks by impersonating other people and making urgent requests in order to gain remote access to the systems they are targeting.

 The credential harvesting prompt created by `identity.jar`.

Once access is gained, they deploy a credentials harvester, such as SafeStore.dll or EventCloud.dll, to steal user credentials, which are designed to gather system information and prompt users for their passwords, often through deceptive user interfaces. 

After the credentials have been stolen, they are saved in local files for later use, which gives the attackers the ability to further compromise the environment of the victim.

Rapid7 report analyzes two malware payloads, Zbot and DarkGate, which are delivered after an initial credential harvester infects a system, where Zbot injects itself into msedge.exe using process hollowing and stores its configuration data encrypted in the registry. 

DarkGate displays its version using a debug message box.

DarkGate hides its malicious behavior if security products are detected and injects itself into various processes like browsers and msbuild.exe, which steals credentials, logs keystrokes, and communicates with its C2 server for commands. It can also reinfect the system using Autoit, AutoHotkey, or DLL payloads.  

To enhance security against social engineering attacks via Microsoft Teams, users will implement strict external communication controls, which include blocking external domains or creating granular whitelists and blocking unapproved remote management tools using hash-based techniques like Windows AppLocker. 

User awareness training will be provided to recognize and report suspicious requests, while to mitigate risks associated with low-security VPNs, users can block traffic from such providers at the firewall level, unless there’s a legitimate business need.

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here