SentinelLabs Finds Connection Between Black Basta and FIN7
SentinelLabs Finds Connection Between Black Basta and FIN7
SentinelLabs researchers investigating activity with the Black Basta ransomware group found a link with the FIN7 threat group based on an overlap of custom tools. The connection is interesting as Black Basta is private, not operating as a ransomware-as-a-service (RaaS) provider nor has the group been advertising for new recruits. Black Basta itself is well-established since their emergence in April 2022, their victim count has already exceeded 90 by September 2022. The discovery of a custom EDR (enhanced detection and response) tool deployed by Black Basta, was interesting as it was authored by a FIN7 developer. "Analysis of the tool led us to further samples, one of which was packed with an unknown packer. After unpacking, we identified it as the BIRDDOG backdoor, connecting to a C2 server at 45[.]67[.]229[.]148. BIRDDOG, also known as SocksBot, is a backdoor that has been used in multiple operations by the FIN7 group." Other similarities identified between Black Basta and FIN7 were samples of Cobalt Strike and SocksBot using the same packer. Other observations in Black Basta intrusions captured by SentinelOne researchers were discovering the group favoring the delivery of LNK files and weaponized documents using Microsoft Windows Support Diagnostic Tool (MSDT) vulnerability, CVE-2022-30190. Their first stage attack has often relied on Qakbot to infect the host, although the malware will conduct system reconnaissance for the attackers, the first manual action of a Black Basta operator is to run discovery commands with AdFind. For privilege escalation, Black Basta operatives exploit Zerologon and PrintNightmare vulnerabilities and maintain persistence by creating a new user account. In the later stages of the campaign, operators impair defenses by modifying security solutions such as Windows Defender by adding exclusions in paths and moving laterally with PsExec or remote access software, NetSupport. Typically a batch script would initiate the ransomware encryption.