<\/p>\n
![](\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/25\/QBackConnect-thumbnail.png\")
<\/div>\nBlack Basta ransomware attack chain<\/span><\/p>\n<\/p><\/div>\n<\/p><\/div>\n Our Managed XDR team analyzed a case involving a technique similar to the one used by the DarkGate malware<\/a> where the user experienced email flooding before being contacted by external actor posing as IT support or helpdesk. In this sample case, the external email address is admin_52351@brautomacao565[.]onmicrosoft[.]com<\/b><\/i>. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n During the call, the user was persuaded by the attacker to grant him access through the built-in Quick Assist tool. It allows users to share their Windows device remotely, enabling screen viewing, annotations, and full control for troubleshooting. Microsoft has previously published their own analysis<\/a> of how threat actors exploit this by impersonating IT support to gain unauthorized access. This tactic, observed since late last year, has been attributed to Black Basta ransomware<\/a>.<\/p>\n After gaining initial access, the attacker downloaded two different malicious .bpx files from a commercial cloud storage provider. Reports<\/a> have observed how threat actors frequently abuse commercial cloud storage services for malware distribution due to their ease of use, widespread adoption, and the risk of misconfigured or publicly accessible buckets.<\/p>\n The following are the downloaded files from the first case:<\/p>\n Based on our threat intelligence, the attacker concatenates the two .bpx files into \u201cpack.zip\u201d. In this case, the attacker used the command type kb052117-01.bpx kb052123-02.bpx > pack.zip <\/i><\/b>that will concatenate the two .bpx files into a pack.zip, the content of which will be unpacked using Tar. The name of the bpx files varies from case to case. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n The following files were created after the extraction of pack.zip:<\/p>\n The file arch1271.cab<\/i><\/b> was extracted to place those extracted files into the OneDrive folder:<\/p>\n Command: expand “C:\\Users\\<user>\\AppData\\Local\\Temp\\arch1271.cab” -F:* “C:\\Users\\<user>\\AppData\\Local\\Microsoft\\OneDrive”<\/span><\/i><\/p>\n The following files were created\/dropped after the extraction:<\/p>\n The OneDriveStandaloneUpdater.exe process was later launched noninteractively via cmd.exe with the following command-line instruction:<\/p>\n Research<\/a> says that winhttp.dll is a malicious loader that is sideloaded by the Onedrive executable. This loader decrypts the backdoor from a dat file named settingsbackup.dat which is also contained in pack.zip<\/p>\n Contents of pack.zip:<\/p>\n After the update process, several key configuration files were modified by the OneDrive Standalone Updater<\/b>:<\/p>\n We observed OneDrive Standalone Updater connecting to the external IP 38.180.25[.]3<\/i><\/b>, which is flagged as Dangerous and categorized as C&C server.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n The attacker also added the following registry entry to store their BackConnect IPs:<\/p>\n reg add “HKCU\\SOFTWARE\\TitanPlus” \/v 1 \/t REG_SZ \/d “38.180.25.3A443;45.8.157.199A443;5.181.3.164A443” \/f<\/span><\/i><\/p>\n Based on Trend Micro Threat Intelligence<\/a>, the IPs used in the above registry key are associated with Black Basta, with the IPs classified as C&C servers.<\/p>\n Cactus ransomware attack chain<\/span><\/p>\n The Trend Micro IR team encountered an evolution of the attack chain we detailed earlier. While the initial tactics closely mirrored the campaign, we observed several additional techniques that provide further insight into the adversary\u2019s evolving methods.<\/b><\/p>\n<\/p><\/div>\n<\/p><\/div>\n The campaign used familiar methods:<\/p>\n Building on the initial foothold, the adversary used advanced lateral movement techniques to expand their presence:<\/p>\n Server Message Block (SMB) and Windows Remote Management (WinRM):<\/b> The attacker utilized SMB via shared folders and used WinRM to remotely execute commands and scripts, allowing them to traverse the network.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n ESXi host compromise:<\/b> Notably, we identified the compromise of ESXi hosts. A binary, socks.out \u2014 believed to be the SystemBC proxy malware \u2014 was deployed. By enabling an SSH session as the root user, they:<\/p>\n This sequence of actions culminated in the execution of the socks.out binary without interference from system protections.<\/p>\n The adversary deployed WinSCP across multiple compromised hosts, suggesting that the tool was distributed to streamline their operations.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n Our incident response efforts successfully subverted the attempt to encrypt the victim\u2019s network. However, the sequence of events clearly indicates that encryption was their intended next step. A ransom note was sent via email, with the attackers identifying themselves as the \u201cCactus Group.\u201d<\/p>\n The Black Basta chat log leaks<\/span><\/p>\n On February 11, 2025, a significant leak exposed the internal communications and organizational structure of the Black Basta group. According to the published information, the data was released due to an internal misunderstanding. The group has reportedly targeted Russian banks. The leaked archive contains messages exchanged in Black Basta’s internal chat rooms between September 18, 2023, and September 28, 2024.<\/p>\n Analysis of the messages uncovers a broad spectrum of information, such as phishing templates and their target emails, cryptocurrency addresses, victims’ credentials, and information about gang members. The information was firstly published by PRODAFT.<\/a><\/p>\n While reviewing the leak data we have observed messages indicating that Black Basta operators recognize Trend Micro as a significant obstacle<\/b> and discuss ways to bypass it. Here are their key views:<\/p>\n 1. Trend Micro is a Major Security Challenge<\/b><\/p>\n 2. Testing and Workarounds<\/b><\/p>\n Additionally, some of the key members of Black Basta have left the group to join the Cactus Ransomware operation, as observed in the TTPs overlaps between the two groups. Based on that context, Trend assesses that Cactus will remain highly active, and the experienced members of Basta will carry on their attacks under the Cactus operation. The future of Black Basta is unknown at this moment. It might implode because of the leaks, as was the case with Conti.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n Since early October 2024, activity related to the Black Basta ransomware social engineering<\/a> campaign has surged. First reported in May, the campaign has evolved with updated tactics<\/a>, improved malware payloads, and the use of Microsoft Teams for lures.<\/p>\n The attacks start with an email bombing campaign, followed by direct contact via Teams, where the attacker impersonates an IT staff. Victims are tricked into installing remote management tools or executing a remote shell, sometimes bypassing multifactor authentication (MFA) via QR codes. Once granted access, additional malware such DarkGate, and custom payloads are deployed to enumerate the environment, extract credentials, and steal VPN configuration files. <\/p>\n Our intelligence indicates that threat actors are using these tactics, techniques, and procedures (TTP) \u2014 vishing, Quick Assist as a remote tool, and BACKCONNECT \u2014 to deploy Black Basta ransomware.<\/p>\n Since January 2025, our Threat Intelligence teams have observed a likely shift in affiliations among certain threat actors associated with Black Basta. Specifically, there is evidence suggesting that members have transitioned from the Black Basta ransomware group to the Cactus ransomware group. This conclusion is drawn from the analysis of similar tactics, techniques, and procedures (TTPs) being utilized by the Cactus group.”<\/p>\n To mitigate the risk of ransomware and similar attacks, organizations should consider the following key measures:<\/p>\n\n\n\n\n\n
\n\n\n\n\n
\n\n\n
\n
\n
\n\n\n
\n\n\n\n\n
\n
\n
\n
\n
\n
\n
\n\n\n
\n
\n\n\n
“TrendMicro \u043c\u043d\u043e\u0433\u043e \u0433\u0434\u0435 \u0441\u0442\u043e\u0438\u0442, \u043d\u0430\u0434\u043e \u043e\u0431\u0445\u043e\u0434\u0438\u0442\u044c”<\/i> (“Trend Micro is used in many places, we need to bypass it”).<\/span><\/li>\n
“\u043c\u0435\u043b\u043a\u0438\u0439 \u043d\u0435 \u043c\u043e\u0436\u0435\u0442 \u043e\u0431\u0445\u043e\u0434\u0438\u0442\u044c Trend Micro XDR”<\/i> (“Melky can’t bypass Trend Micro XDR”).<\/span><\/li>\n<\/ul>\n\n
“\u0441 \u0442\u0440\u0435\u043d\u0434\u043e\u043c \u0432\u0441\u0435 \u043e\u043a \u043d\u0430 \u0431\u0440\u0443\u0442\u0435 \u0434\u043e\u043b\u0436\u043d\u043e \u0431\u044b\u0442\u044c”<\/i> (“With Trend, everything should be fine on brute”).<\/span><\/li>\n\n\n\n
\n\n