To get early access to business environments, the Black Basta ransomware organisation has teamed up with QBot. QBot has a reputation for collecting Windows domain and bank credentials, as well as releasing other payloads.
The collaboration
The continued relationship between Qbot and Black Basta operators in the current incident response has been documented by researchers from the NCC Group. Researchers have also discovered several novel TTPs that were employed in this assault.
Although QBot is often used for initial access, Black Basta has utilised it to expand laterally within a victim’s network.
The virus instals a temporary service on the host and configures it to launch its DLL using regsvr32[.]exe, which it does remotely.
Getting away with it
To avoid discovery and reduce the possibilities of interrupting the encryption process, the attackers disable Windows Defender.
They use PowerShell instructions to build a GPO that modifies the Windows Registry on a hacked Domain Controller.
Conclusion
The collaboration between Black Basta and QBot appears to be fruitful. QBot is still being spread via malicious emails, therefore users should be cautious when opening files from unknown senders. Organizations could also subscribe to a threat intelligence service to improve their security.