New attack techniques leveraged by Black Basta

Novel social engineering techniques have been leveraged by the Black Basta ransomware operation to facilitate Zbot and DarkGate malware deployment in attacks since October, The Hacker News reports.

After email bombing targeted users, Black Basta impersonates IT staff or support personnel on Microsoft Teams to trick users into downloading AnyDesk, Microsoft Quick Assist, and other legitimate remote access software according to a Rapid7 analysis. Such remote access would then be exploited by the ransomware gang to enable credential exfiltrating software compromise prior to Zbot and DarkGate infections. "When possible, operators will also still attempt to steal any available VPN configuration files. With the user's credentials, organization VPN information, and potential MFA bypass, it may be possible for them to authenticate directly to the target environment," said Rapid7 researcher Tyler McGraw. Black Basta's evolving attack methods have also been noted in a report from RedSense, which observed "a peculiar shift from a purely botnet-reliant approach to a hybrid model that integrates social engineering."