Surge in Black Basta Ransomware And DarkGate Activity with Strategic Social Engineering Approach

Since early October 2024, Rapid7 reports observing a marked increase in Black Basta ransomware campaigns characterized by social engineering tactics for initial access. These campaigns leverage a combination of phishing and impersonation to trick users into installing Remote Monitoring and Management (RMM) tools. The attackers initiate the intrusion by overwhelming targeted users with a flood of emails, manufacturing an issue to engage the user under the guise of IT support. The adversary, posing as an organization's help desk or IT staff, reaches out via Microsoft Teams with display names such as "Help Desk," "Technical Support," or "Administracion." This tactic exploits user trust to convince them to install RMM tools like AnyDesk, QuickAssist, TeamViewer, Level, or ScreenConnect, providing the attackers with remote access to the compromised machine. Trend Micro corroborates this method, reporting a similar incident where a victim received thousands of emails before being contacted via a Microsoft Teams call and persuaded to install AnyDesk.

A notable insight from Rapid7 suggests the adversary may engage in a handoff of activity, as reported in “one case handled by Rapid7, the operator requested more time — potentially to hand off the access to another member of the group.” Once access is secured via the RMM tool, the attackers focus on post-exploitation tasks, primarily credential harvesting and reconnaissance. According to Rapid7, the adversary's goal "following initial access appears to be the same: to quickly enumerate the environment and dump the user’s credentials. When possible, operators will also still attempt to steal any available VPN configuration files." Trend Micro's investigation supports this, noting that attackers executed reconnaissance commands like "systeminfo," "route print," and "ipconfig /all" via cmd.exe. The attackers deploy custom credential harvesting tools, previously distributed as the executable "AntiSpam.exe" and now as a DLL named "SafeStore.dll," executed with rundll32.exe. The harvested credentials and system data are saved to the %TEMP% directory as "123.txt." VPN configuration files, if found, are also exfiltrated to aid in lateral movement.

Following credential harvesting, the attackers typically deliver additional payloads such as Zbot (Zloader) or DarkGate to establish persistence and expand their foothold. Both Rapid7 and Trend Micro detail the deployment of DarkGate malware during these campaigns. The loaders execute malicious code and achieve persistence through registry Run keys or scheduled tasks. DarkGate employs process injection techniques, often targeting legitimate processes like msedge.exe or MicrosoftEdgeUpdateCore.exe to evade detection. Trend Micro's analysis reveals the use of AutoIt scripts, specifically AutoIt3.exe, which executes encrypted scripts and monitors for security tools. If security software is detected, the malware adjusts its behavior to avoid detection.

Rapid7 and Trend Micro also note using defense evasion techniques, such as custom packers to obfuscate payloads. The packers deliver multiple malware types, including Black Basta ransomware, Cobalt Strike beacons, and multi-threaded Java payloads for PowerShell command execution. Trend Micro reports that AutoIt scripts are used to create persistence mechanisms, such as dropping files in the C:\ProgramData\ directory and modifying registry keys. After the initial payload execution, operators may request additional time, possibly to transfer control to another member of the group.

The final stages of the attack chain culminate in ransomware deployment, with Black Basta being the primary payload. The ransomware encrypts data, disrupts operations, and deletes Windows event logs to hinder forensic analysis. Trend Micro observed that DarkGate's AutoIt scripts maintain persistence by creating log files, monitoring active windows, and deleting registry entries if analysis tools are detected. These overlapping details between Rapid7 and Trend Micro’s findings illustrate a consistent and evolving threat, where attackers employ a combination of social engineering, credential harvesting, and malware deployment to achieve their objectives.