Security News > 2022 > October > Black Basta Ransomware Hackers Infiltrate Networks via Qakbot to Deploy Brute Ratel C4

The threat actors behind the Black Basta ransomware family have been observed using the Qakbot trojan to deploy the Brute Ratel C4 framework as a second-stage payload in recent attacks.

The development marks the first time the nascent adversary simulation software is being delivered via a Qakbot infection, cybersecurity firm Trend Micro said in a technical analysis released last week.

According to Trend Micro, the ZIP file in the email contains an ISO file, which, in turn, includes a LNK file that fetches the Qakbot payload, illustrating attempts on part of threat actors to adapt to other tactics in the aftermath of Microsoft's decision to block macros by default for documents downloaded from the web.

The Qakbot infection is succeeded by the retrieval of Brute Ratel and Cobalt Strike, but not before performing automated reconnaissance through built-in command line tools such as arp, ipconfig, nslookup, netstat, and whoami.

In another Qakbot execution chain spotted by the cybersecurity company, the ZIP file is delivered through an increasingly popular method called HTML smuggling, resulting in the execution of Brute Ratel C4 as the second-stage.

Qakbot is far from the only access-as-a-service malware that's being increasingly distributed via ISO and other file formats to get around macro restrictions, for Emotet, IcedID, and Bumblebee campaigns have all followed similar trajectories.

News URL

https://thehackernews.com/2022/10/black-basta-ransomware-hackers.html