Security News > 2022 > November > Researchers Find Links b/w Black Basta Ransomware and FIN7 Hackers

A new analysis of tools put to use by the Black Basta ransomware operation has identified ties between the threat actor and the FIN7 group.

This link "Could suggest either that Black Basta and FIN7 maintain a special relationship or that one or more individuals belong to both groups," cybersecurity firm SentinelOne said in a technical write-up shared with The Hacker News.

This has raised the possibility that the Black Basta developers either cut out affiliates from the chain and deploy the ransomware through their own custom toolset or alternatively work with a close set of affiliates without the need to market their warez.

Attack chains involving Black Basta are known to leverage QBot, which, in turn, is delivered by means of phishing emails containing macro-based Microsoft Office documents, with newer infections taking advantage of ISO images and LNK droppers to get around Microsoft's decision to block macros in files downloaded from the web by default.

Once Qakbot obtains a persistent foothold in the target environment, the Black Basta operator enters the scene to conduct reconnaissance by connecting to the victim through the backdoor, followed by exploiting known vulnerabilities to escalate privileges.

The findings come weeks after the Black Basta actor was observed using the Qakbot trojan to deploy Cobalt Strike and Brute Ratel C4 frameworks as a second-stage payload in recent attacks.

News URL

https://thehackernews.com/2022/11/researchers-find-links-bw-black-basta.html