www.sentinelone.com Open in urlscan Pro
104.26.2.18  Public Scan

URL: https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/
Submission: On September 18 via api from DE — Scanned from DE

Form analysis 6 forms found in the DOM

GET https://www.sentinelone.com

<form autocomplete="off" method="get" action="https://www.sentinelone.com">
  <fieldset>
    <input type="search" name="s" placeholder="Search ..." value="">
    <button class="search" type="submit">
      <span class="light">
        <img class="lazy icon-search" src="data:image/svg+xml;utf8,<svg xmlns='http://www.w3.org/2000/svg' width='24' height='24'><rect width='100%' height='100%' fill='none'/></svg>" style=""
          data-src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/search-icon-white.svg" alt="Search Icon White" width="24" height="24">
        <img class="lazy icon-down" src="data:image/svg+xml;utf8,<svg xmlns='http://www.w3.org/2000/svg' width='18' height='16'><rect width='100%' height='100%' fill='none'/></svg>" style=""
          data-src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/navigation-close.svg" alt="Navigation Close" width="18" height="16">
      </span>
      <span class="dark">
        <img class="lazy icon-search" src="data:image/svg+xml;utf8,<svg xmlns='http://www.w3.org/2000/svg' width='24' height='24'><rect width='100%' height='100%' fill='none'/></svg>" style=""
          data-src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/search-icon.svg" alt="Search Icon" width="24" height="24">
        <img class="lazy icon-down" src="data:image/svg+xml;utf8,<svg xmlns='http://www.w3.org/2000/svg' width='18' height='16'><rect width='100%' height='100%' fill='none'/></svg>" style=""
          data-src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/navigation-close-dark.svg" alt="Navigation Close Dark" width="18" height="16">
      </span>
    </button>
  </fieldset>
</form>

GET https://www.sentinelone.com/

<form role="search" method="get" class="search-form" action="https://www.sentinelone.com/">
  <label>
    <span class="screen-reader-text">Search ...</span>
    <input type="search" class="search-field" placeholder="Search ..." value="" name="s">
  </label>
  <input type="submit" class="search-submit" value="Search">
</form>

<form id="mktoForm_1985" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft bf_form_init" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); width: 1601px;" bf_offer_id="1777309661">
  <style type="text/css"></style>
  <div class="mktoFormRow">
    <div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
      <div class="mktoOffset" style="width: 5px;"></div>
      <div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 0px;">
          <div class="mktoAsterix">*</div>
        </label>
        <div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" placeholder="Business Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
          class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 150px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
        <div class="mktoClear"></div>
      </div>
      <div class="mktoClear"></div>
    </div>
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Employees__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Industry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="AnnualRevenue" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Address" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="City" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="PostalCode" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="SIC_Code2__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Website" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="demandbaseSID" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Phone" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="demandbaseCompany" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="demandbaseCountry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="demandbaseState" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="demandbaseEmployeeRange" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="subIndustry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="dataSource" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="watchListAccountType" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="watchListAccountOwner" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="watchListAccountStatus" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="watchListCampaignCode" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Subscribe</button></span></div>
  <div class="marketo-legal">By clicking Subscribe, I agree to the use of my personal data in accordance with SentinelOne <a href="https://www.sentinelone.com/legal/privacy-policy/">Privacy Policy</a>. SentinelOne will not sell, trade, lease, or rent
    your personal data to third parties.</div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor" value="1985"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="327-MNM-087">
</form>

<form id="mktoForm_2673" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft bf_form_init" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); width: 1601px;" bf_offer_id="1777282786">
  <style type="text/css"></style>
  <div class="mktoFormRow">
    <div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
      <div class="mktoOffset" style="width: 5px;"></div>
      <div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 0px;">
          <div class="mktoAsterix">*</div>
        </label>
        <div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" placeholder="Business Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
          class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 150px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
        <div class="mktoClear"></div>
      </div>
      <div class="mktoClear"></div>
    </div>
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Employees__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Industry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="AnnualRevenue" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Address" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="City" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="PostalCode" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="SIC_Code2__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Website" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="demandbaseSID" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Phone" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="demandbaseCompany" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="demandbaseCountry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="demandbaseState" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="demandbaseEmployeeRange" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="subIndustry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="dataSource" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="watchListAccountType" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="watchListAccountOwner" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="watchListAccountStatus" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="watchListCampaignCode" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Subscribe</button></span></div>
  <div class="marketo-legal">By clicking Subscribe, I agree to the use of my personal data in accordance with SentinelOne <a href="https://www.sentinelone.com/legal/privacy-policy/">Privacy Policy</a>. SentinelOne will not sell, trade, lease, or rent
    your personal data to third parties.</div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor" value="2673"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="327-MNM-087">
</form>

<form novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form>

<form novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form>

Text Content

šŸ”„ LABScon 2023, Sept 20-23: Where cybersecurity expertise meets real-time
research.
View theĀ talksĀ andĀ request your invite now. Avoid the FOMO. šŸ”„

 * 
 * 


 * ABOUT
 * CVE DATABASE
 * CONTACT
 * VISIT SENTINELONE.COM

en
 * English
 * ę—„ęœ¬čŖž
 * Deutsch
 * EspaƱol
 * FranƧais
 * Italiano
 * Dutch
 * ķ•œźµ­ģ–“


Get a Demo

Back

 * ABOUT
 * CVE DATABASE
 * CONTACT
 * VISIT SENTINELONE.COM

Get a Demo

Crimeware


BLACK BASTA RANSOMWARE | ATTACKS DEPLOY CUSTOM EDR EVASION TOOLS TIED TO FIN7
THREAT ACTOR

Antonio Cocomazzi / November 3, 2022

By Antonio Cocomazzi and Antonio Pirozzi


EXECUTIVE SUMMARY

 * SentinelLabs researchers describe Black Basta operational TTPs in full
   detail, revealing previously unknown tools and techniques.
 * SentinelLabs assesses it is highly likely the Black Basta ransomware
   operation has ties with FIN7.
 * Black Basta maintains and deploys custom tools, including EDR evasion tools.
 * SentinelLabs assess it is likely the developer of these EDR evasion tools is,
   or was, a developer for FIN7.
 * Black Basta attacks use a uniquely obfuscated version of ADFind and exploit
   PrintNightmare, ZeroLogon and NoPac for privilege escalation.


OVERVIEW

Black Basta ransomware emerged in April 2022 and went on a spree breaching over
90 organizations by Sept 2022. The rapidity and volume of attacks prove that the
actors behind Black Basta are well-organized and well-resourced, and yet there
has been no indications of Black Basta attempting to recruit affiliates or
advertising as a RaaS on the usual darknet forums or crimeware marketplaces.
This has led to much speculation about the origin, identity and operation of the
Black Basta ransomware group.

Our research indicates that the individuals behind Black Basta ransomware
develop and maintain their own toolkit and either exclude affiliates or only
collaborate with a limited and trusted set of affiliates, in similar ways to
other ā€˜privateā€™ ransomware groups such as Conti, TA505, and Evilcorp.

SentinelLabsā€™ full report provides a detailed analysis of Black Bastaā€™s
operational TTPs, including the use of multiple custom toolsĀ  likely developed
by one or more FIN7 (aka Carbanak) developers. In this post, we summarize the
reportā€™s key findings.

Read the Full Report


BLACK BASTAā€™S INITIAL ACCESS ACTIVITY

SentinelLabs began tracking Black Basta operations in early June after noticing
overlaps between ostensibly different cases. Along with other researchers, we
noted that Black Basta infections began with Qakbot delivered by email and
macro-based MS Office documents, ISO+LNK droppers and .docx documents exploiting
the MSDTC remote code execution vulnerability, CVE-2022-30190.

One of the interesting initial access vectors we observed was an ISO dropper
shipped as ā€œReport Jul 14 39337.isoā€ that exploits a DLL hijacking in calc.exe.
Once the user clicks on the ā€œReport Jul 14 39337.lnkā€ inside the ISO dropper, it
runs the command

cmd.exe /q /c calc.exe

triggering the DLL hijacking inside the calc binary and executing a Qakbot DLL,
WindowsCodecs.dll.

Qakbot obtains a persistent foothold in the victim environment by setting a
scheduled task which references a malicious PowerShell stored in the registry,
acting as a listener and loader.

The powershell.exe process continues to communicate with different servers,
waiting for an operator to send a command to activate the post-exploitation
capability.

When an operator connects to the backdoor, typically hours or days after the
initial infection, a new explorer.exe process is created and a process hollowing
is performed to hide malicious activity behind the legitimate process. This
injection operation occurs every time a component of the Qakbot framework is
invoked or for any arbitrary process run manually by the attacker.


ENTER THE BLACK BASTA OPERATOR

Manual reconnaissance is performed when the Black Basta operator connects to the
victim through the Qakbot backdoor.

Reconnaissance utilities used by the operator are staged in a directory with
deceptive names such as ā€œIntelā€ or ā€œDellā€, created in the root drive C:\.

The first step in a Black Basta compromise usually involves executing a uniquely
obfuscated version of the AdFind tool, named AF.exe.

cmd /C C:\intel\AF.exe -f objectcategory=computer -csv name cn OperatingSystem dNSHostName > C:\intel\[REDACTED].csv


This stage also often involves the use of two custom .NET assemblies loaded in
memory to perform various information gathering tasks. These assemblies are not
obfuscated and the main internal class names, ā€œProcessessā€ and
ā€œGetOnlineComputersā€, provide a good clue to their functions. Black Basta
operators have been observed using SharpHound and BloodHound frameworks for AD
enumeration via LDAP queries. The collector is also run in memory as a .NET
assembly.

For network scanning, Black Basta uses the SoftPerfect network scanner,
netscan.exe. In addition, the WMI service is leveraged to enumerate installed
security solutions.

wmic /namespace:\\root\SecurityCenter2 PATH AntiVirusProduct GET /value
wmic /namespace:\\root\SecurityCenter2 PATH AntiSpywareProduct GET /value
wmic /namespace:\\root\SecurityCenter2 PATH FirewallProduct GET /value



BLACK BASTA PRIVILEGE ESCALATION TECHNIQUES

Beyond the reconnaissance stage, Black Basta attempts local and domain level
privilege escalation through a variety of exploits. We have seen the use of
ZeroLogon (CVE-2020-1472), NoPac (CVE-2021-42287, CVE-2021-42278) and
PrintNightmare (CVE-2021-34527).

There are two versions of the ZeroLogon exploit in use: an obfuscated version
dropped as zero22.exe and a non-obfuscated version dropped as zero.exe. In one
intrusion, we observed the Black Basta operator exploiting the PrintNightmare
vulnerability and dropping spider.dll as the payload. The DLL creates a new
admin user with username ā€œCrackennā€ and password ā€œ*aaa111Crackeā€:

Reversed code for spider.dll

The DLL first sets the user and password into a struct (userInfo) then calls the
NetUserAdd Win API to create a user with a never-expiring password. It then adds
ā€œAdministratorsā€ and ā€œRemote Desktop Usersā€ groups to that account. Next,
spider.dll creates the RunTimeListen.exe process, which runs the SystemBC (aka
Coroxy) backdoor, described below.

At this stage, Black Basta operators cover their tracks by deleting the added
user and the DLL planted with the PrintNightmare exploit.


REMOTE ADMIN TOOLS

Black Basta operators have a number of RAT tools in their arsenal.

The threat actor has been observed dropping a self-extracting archive containing
all the files needed to run the Netsupport Manager application, staged in the
C:\temp folder with the name Svvhost.exe. Execution of the file extracts all
installation files into:

C:\Users\[USER]\AppData\Roaming\MSN\


Archive of installation files for Netsupport Manager dropped by Black Basta

The RAT is then executed through a run.bat script.

Content of run.bat script

In other cases, we have observed the usage of Splashtop, GoToAssist, Atera Agent
as well as SystemBC, which has been used by different ransomware operators as a
SOCKS5 TOR proxy for communications, data exfiltration, and the download of
malicious modules.


BLACK BASTA LATERAL MOVEMENT

The Black Basta actor has been seen using different methods for lateral
movement, deploying different batch scripts through psexec towards different
machines in order to automate process and services termination and to impair
defenses. Ransomware has also been deployed through a multitude of machines via
psexec.

In the most recent Black Basta incidents we observed, a batch file named
SERVI.bat was deployed through psexec on all the endpoints of the targeted
infrastructure. This script was deployed by the attacker to kill services and
processes in order to maximize the ransomware impact, delete the shadow copies
and kill certain security solutions.

Partial content of SERVI.bat


IMPAIR DEFENSES

In order to impair the hostā€™s defenses prior to dropping the locker payload,
Black Basta targets installed security solutions with specific batch scripts
downloaded into the Windows directory.

In order to disable Windows Defender, the following scripts are executed:

\Windows\ILUg69ql1.bat
\Windows\ILUg69ql2.bat
\Windows\ILUg69ql3.bat


The batch scripts found in different intrusions also appear to have a naming
convention: ILUg69ql followed by a digit.

powershell -ExecutionPolicy Bypass -command "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force"
powershell -ExecutionPolicy Bypass -command "Set-MpPreference -DisableRealtimeMonitoring 1"
powershell -ExecutionPolicy Bypass Uninstall-WindowsFeature -Name Windows-Defender


According to the official documentation, the DisableAntiSpyware parameter
disables the Windows Defender Antivirus in order to deploy another security
solution. The DisableRealtimeMonitoring is used to disable real time protection
and then Uninstall-WindowsFeature -Name Windows-Defender to uninstall Windows
Defender.


BLACK BASTA AND THE FIN7 CONNECTION

In multiple Black Basta incidents, the threat actors made use of a custom
defense impairment tool. Analysis showed that this tool was used in incidents
from 3rd June 2022 onwards and found exclusively in Black Basta incidents. Based
on this evidence, we assess it is highly likely that this tool is specific to
the Black Bastaā€™s group arsenal.

Our investigation led us to a further custom tool, WindefCheck.exe, an
executable packed with UPX. The unpacked sample is a binary compiled with Visual
Basic. The main functionality is to show a fake Windows Security GUI and tray
icon with a ā€œhealthyā€ system status, even if Windows Defender and other system
functionalities are disabled.

The fake Windows Security GUI WindefCheck.exe

Analysis of the tool led us to further samples, one of which was packed with an
unknown packer. After unpacking, we identified it as the BIRDDOG backdoor,
connecting to a C2 server at 45[.]67[.]229[.]148. BIRDDOG, also known as
SocksBot, is a backdoor that has been used in multiple operations by the FIN7
group.

Further, we note that the IP address 45[.]67[.]229[.]148 is hosted on
ā€œpq.hostingā€, the bullet proof hosting provider of choice used by FIN7 when
targeting victims.

We discovered further samples on public malware repositories packed with the
same packer but compiled about two months before the BIRDDOG packed sample.
Unpacking one of these samples revealed it to be a Cobalt Strike DNS beacon
connecting to the domain ā€œjardinoks.comā€.

Comparison of the samples suggests that the packer used for the BIRDDOG backdoor
is an updated version of the packer used for the Cobalt Strike DNS beacon.



Left: Cobalt Strike DNS beacon; Right: BIRDDOG backdoor

We assess it is likely the threat actor developing the impairment tool used by
Black Basta is the same actor with access to the packer source code used in FIN7
operations, thus establishing for the first time a possible connection between
the two groups.


UNCOVERING FURTHER TIES BETWEEN BLACK BASTA AND FIN7

FIN7 is a financially motivated group that has been active since 2012 running
multiple operations targeting various industry sectors. The group is also known
as ā€œCarbanakā€,Ā  the name of the backdoor they used, but there were different
groups that also used the same malware and which are tracked differently.

Initially, FIN7 used POS (Point of Sale) malware to conduct financial frauds.
However, since 2020 they switched to ransomware operations, affiliating to
REvil, Conti and also conducting their own operations: first as Darkside and
later rebranded as BlackMatter.

At this point, itā€™s likely that FIN7 or an affiliate began writing tools from
scratch in order to disassociate their new operations from the old. Based on our
analysis, we believe that the custom impairment tool described above is one such
tool.

Collaboration with other third party researchers provided us with a plethora of
data that further supports our hypothesis. In early 2022, the threat actor
appears to have been conducting detection tests and attack simulations using
various delivery methods for droppers, Cobalt Strike and Meterpreter C2
frameworks, as well as custom tools and plugins. The simulated activity was
observed months later in the wild during attacks against live victims. Analysis
of these simulations also provided us with a few IP addresses which we believe
to be attributed to the threat actor.

The SentinelLabs full report describes these activities in detail.


ATTRIBUTION OF THE THREAT ACTOR: FIN7

We assess it is highly likely the BlackBasta ransomware operation has ties with
FIN7. Furthermore, we assess it is likely that the developer(s) behind their
tools to impair victim defenses is, or was, a developer for FIN7.


CONCLUSION

The crimeware ecosystem is constantly expanding, changing, and evolving. FIN7
(or Carbanak) is often credited with innovating in the criminal space, taking
attacks against banks and PoS systems to new heights beyond the schemes of their
peers.

As we clarify the hand behind the elusive Black Basta ransomware operation, we
arenā€™t surprised to see a familiar face behind this ambitious closed-door
operation. While there are many new faces and diverse threats in the ransomware
and double extortion space, we expect to see the existing professional criminal
outfits putting their own spin on maximizing illicit profits in new ways.

Read the Full Report

Crimeware


SHARE

PDF

ANTONIO COCOMAZZI

Antonio Cocomazzi is a Senior Threat Intelligence Researcher at SentinelOne with
a particular interest in malware analysis. His research focuses on discovering
vulnerabilities and digging into Windows OS internals. Antonio enjoys reversing
any kind of binaries from packed malware to Windows internal components. He
likes playing online CTF and writing offensive tools and security research on
his GitHub channel, mostly based on Windows OS. Antonio has presented previously
at conferences such as Black Hat, Hack In The Box and RomHack.

Prev

WIP19 ESPIONAGE | NEW CHINESE APT TARGETS IT SERVICE PROVIDERS AND TELCOS WITH
SIGNED MALWARE

Next

SOCGHOLISH DIVERSIFIES AND EXPANDS ITS MALWARE STAGING INFRASTRUCTURE TO COUNTER
DEFENDERS


RELATED POSTS


CLOUDY WITH A CHANCE OF CREDENTIALS | AWS-TARGETING CRED STEALER EXPANDS TO
AZURE, GCP

July 13 2023


HYPERVISOR RANSOMWARE | MULTIPLE THREAT ACTOR GROUPS HOP ON LEAKED BABUK CODE TO
BUILD ESXI LOCKERS

May 11 2023


ICEFIRE RANSOMWARE RETURNS | NOW TARGETING LINUX ENTERPRISE NETWORKS

March 09 2023


SEARCH

Search ...


SIGN UP

Get notified when we post new content.

*
























Subscribe
By clicking Subscribe, I agree to the use of my personal data in accordance with
SentinelOne Privacy Policy. SentinelOne will not sell, trade, lease, or rent
your personal data to third parties.

Thanks! Keep an eye out for new content!


RECENT POSTS

 * CapraTube | Transparent Tribeā€™s CapraRAT Mimics YouTube to Hijack Android
   Phones
   September 18, 2023
 * Bloated Binaries | How to Detect and Analyze Large macOS Malware Files
   August 29, 2023
 * Chinese Entanglement | DLL Hijacking in the Asian Gambling Sector
   August 17, 2023


LABS CATEGORIES

 * Crimeware
 * Security Research
 * Adversary
 * Advanced Persistent Threat
 * LABScon
 * Security & Intelligence


SENTINELLABS

In the era of interconnectivity, when markets, geographies, and jurisdictions
merge in the melting pot of the digital domain, the perils of the threat
ecosystem become unparalleled. Crimeware families achieve an unparalleled level
of technical sophistication, APT groups are competing in fully-fledged cyber
warfare, while once decentralized and scattered threat actors are forming
adamant alliances of operating as elite corporate espionage teams.


LATEST TWEET

Could not authenticate you.


RECENT POSTS

 * CapraTube | Transparent Tribeā€™s CapraRAT Mimics YouTube to Hijack Android
   Phones
   September 18, 2023
 * Bloated Binaries | How to Detect and Analyze Large macOS Malware Files
   August 29, 2023
 * Chinese Entanglement | DLL Hijacking in the Asian Gambling Sector
   August 17, 2023


SIGN UP

Get notified when we post new content.

*
























Subscribe
By clicking Subscribe, I agree to the use of my personal data in accordance with
SentinelOne Privacy Policy. SentinelOne will not sell, trade, lease, or rent
your personal data to third parties.

Thanks! Keep an eye out for new content!

 * Twitter
 * LinkedIn

Ā©2023 SentinelOne, All Rights Reserved.







PRIVACY PREFERENCE CENTER

When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information
Allow All


MANAGE CONSENT PREFERENCES

FUNCTIONAL COOKIES

Functional Cookies

These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then some
or all of these services may not function properly.

STRICTLY NECESSARY COOKIES

Always Active

These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to block
or alert you about these cookies, but some parts of the site will not then work.
These cookies do not store any personally identifiable information.

PERFORMANCE COOKIES

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.

TARGETING COOKIES

Targeting Cookies

These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.

Back Button Back



Vendor Search Search Icon
Filter Icon

Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label

Confirm My Choices


By clicking ā€œAccept All Cookiesā€, you agree to the storing of cookies on your
device to enhance site navigation, analyze site usage, and assist in our
marketing efforts.

Cookies Settings Accept All Cookies


We'd like to show you notifications for the latest news and updates.


AllowCancel