SOCRadar® Cyber Intelligence Inc. | Black Basta’s Tactical Evolution: Deploying Zbot, DarkGate, and Bespoke Malware
Free Dark Web Report
Is your Domain Exposed? Find Out.
Table Of Content
Home

Resources

Blog
Jan 06, 2025
5 Mins Read

Black Basta’s Tactical Evolution: Deploying Zbot, DarkGate, and Bespoke Malware

In the ever-escalating landscape of cyber threats, Black Basta has emerged as a formidable ransomware group, continually adapting and refining its tactics to breach organizational defenses. This latest campaign underscores their tactical evolution, leveraging advanced social engineering, sophisticated malware payloads like Zbot and DarkGate, and bespoke tools to infiltrate systems and execute devastating attacks.

AI illustration of Black Basta's campaign

AI illustration of Black Basta’s campaign

Through phishing emails, impersonation via Microsoft Teams, and exploitation of remote access tools, Black Basta’s operators have demonstrated a calculated approach to undermining security measures. As the scope of their operations widens, encompassing sectors like healthcare, finance, manufacturing, and national security, organizations must prepare to confront increasingly advanced and targeted attacks.

Key Campaign Details

Black Basta’s campaign begins with a flood of phishing emails designed to overwhelm victims’ inboxes, creating a smokescreen for malicious communications.

Leveraging Microsoft Teams, operators impersonate IT support personnel, adopting display names like “Help Desk” or “Technical Support” to establish trust. Once a connection is established, victims are coerced into installing remote access tools such as AnyDesk, QuickAssist, or TeamViewer. These tools serve as gateways for malware deployment, bypassing traditional security controls.

Black Basta’s Tactical Evolution (Campaigns page on the SOCRadar XTI platform)

Black Basta’s Tactical Evolution (Campaigns page on the SOCRadar XTI platform)

To gain deeper insights into ongoing and past threat campaigns, visit the SOCRadar LABS’ Campaigns page. Here, you’ll find detailed information on the latest cyber threats, attack trends, and malicious activities targeting various industries.

Arsenal of Advanced Malware

The group deploys an array of potent malware to achieve its objectives:

  • Zbot Malware: Known for its credential-stealing capabilities, Zbot is a key component in harvesting sensitive information, enabling lateral movement within the network.
  • DarkGate Malware: This highly evasive malware performs a wide range of malicious activities, from data exfiltration to executing ransomware payloads. With features like process hollowing and encrypted payloads, it effectively evades detection.
  • Custom Tools: Bespoke malware and tailored scripts enhance the attackers’ ability to adapt to specific environments, ensuring their success even against robust defenses.

Defense Evasion Techniques

Black Basta leverages advanced evasion methods to outmaneuver security measures:

  • Obfuscated payloads to prevent static analysis.
  • Use of legitimate platforms like SharePoint for malware distribution.
  • Exploitation of QR codes to bypass multi-factor authentication (MFA)

Sectors and Regions Impacted

Black Basta’s campaign spans multiple sectors, including healthcare, finance, manufacturing, energy, and national security. With their reach extending to organizations globally, the group’s activities pose a universal threat.

Mitigation and Remediation Strategies

To counteract Black Basta’s tactics, organizations must implement a multi-layered security strategy. Below is a detailed table outlining key mitigation and remediation measures for the techniques observed in this campaign:

Technique (ID) Mitigation Remediation
Bypass User Account Control (T1548.002) Enforce strict privilege management policies. Restrict unauthorized elevation using application whitelisting.
Parent PID Spoofing (T1134.004) Monitor anomalous parent-child process relationships. Use endpoint detection tools to flag suspicious behavior.
Account Manipulation (T1098.007) Regularly audit user/group memberships. Alert on unauthorized modifications to accounts or privileges.
Registry Run Keys (T1547.001) Monitor changes in registry and startup folders. Lock down critical registry paths to prevent unauthorized edits.
Phishing Attachments (T1566.001) Implement robust email filtering and attachment scanning. Train employees on recognizing phishing attempts.
DNS Abuse (T1071.004) Monitor DNS traffic for irregularities. Block malicious domains and implement DNS security extensions (DNSSEC)
Credential Harvesting (T1555) Use password managers and enforce strong password policies. Disable plaintext password storage in browsers.
Clipboard Data (T1115) Encrypt sensitive data during processing. Monitor clipboard activity for anomalies.
Process Hollowing (T1055.012) Monitor memory and API calls for unusual activity. Use EDR solutions to detect injected processes.
Keylogging (T1056.001) Deploy anti-keylogging tools and monitor for suspicious keyboard activity. Detect unauthorized access to keylogging threads.

Indicators of Compromise (IOCs)

Below is a list of IP addresses that have been flagged as potential indicators of compromise (IOCs) in relation to Black Basta’s activity. Monitoring these IPs within your network traffic can help identify potential threats and enhance your organization’s security posture.

  • 172.81.60.122
  • 179.60.149.194
  • 185.130.47.96
  • 188.130.206.243
  • 65.87.7.151
  • 88.214.25.32
  • 94.103.85.114
  • 109.172.87.135
  • 109.172.88.38
  • 145.223.116.66
  • 184.174.97.32
  • 185.229.66.224
  • 185.238.169.17
  • 193.29.13.60
  • 212.232.22.140
  • 45.61.152.154
  • 46.8.232.106
  • 46.8.236.61
  • 66.78.40.86
  • 8.209.111.227
  • 8.211.34.166
  • 91.212.166.91
  • 93.185.159.253

Conclusion

Black Basta’s ongoing campaign highlights the escalating sophistication of ransomware operators. Their ability to blend social engineering with advanced malware, coupled with innovative evasion techniques, underscores the critical need for vigilance and robust security measures. By adopting proactive defenses and leveraging tools like SOCRadar, organizations can effectively mitigate risks and protect against the growing ransomware threat.

SOCRadar offers an integrated platform to defend against threats such as Black Basta. Its Cyber Threat Intelligence module tracks malicious actors and their tactics, providing actionable insights for proactive defense. The Digital Risk Protection module detects impersonation attempts, helping to safeguard your brand’s reputation. Meanwhile, Attack Surface Management identifies and secures exposed assets, ensuring vulnerabilities are addressed. Together, these capabilities enable organizations to stay ahead of evolving threats, fortify their defenses, and respond effectively to sophisticated campaigns.

Related Articles
SOCRadar® Cyber Intelligence Inc. | International Operation Targets 8Base and Phobos Ransomware Gangs
International Operation Targets 8Base and Phobos Ransomware Gangs
Feb 11, 2025
SOCRadar® Cyber Intelligence Inc. | Major Cyber Attacks in Review: January 2025
Major Cyber Attacks in Review: January 2025
Feb 10, 2025
SOCRadar® Cyber Intelligence Inc. | Critical Cisco ISE Vulnerabilities Patched: CVE-2025-20124 & CVE-2025-20125
Critical Cisco ISE Vulnerabilities Patched: CVE-2025-20124 & CVE-2025-20125
Feb 06, 2025
SOCRadar® Cyber Intelligence Inc. | CISA Adds Apache OFBiz, Microsoft .NET, and Paessler PRTG Vulnerabilities to the KEV Catalog
CISA Adds Apache OFBiz, Microsoft .NET, and Paessler PRTG Vulnerabilities to the KEV Catalog
Feb 05, 2025
SOCRadar® Cyber Intelligence Inc. | Critical Veeam Vulnerability (CVE-2025-23114) Exposes Backup Servers to Remote Code Execution
Critical Veeam Vulnerability (CVE-2025-23114) Exposes Backup Servers to Remote Code Execution
Feb 05, 2025