Black Basta - An Analysis Of Their Methods And Malware

by: Alex Oudenaarden, Noël Keijzer & Patrick van Looy

Intro

Recently our CERT observed an increase in ransomware attacks using the Black Basta ransomware. We received the first notifications of victims from this ransomware group towards the end of April, which seems to be in line with when mentions of the malware first appeared on Twitter. In this blog, we combine the knowledge gained from research on the samples we encountered and those uploaded publicly to disseminate knowledge on this emerging threat actor.

Methods

In this section, we describe the methods used by the Black Basta threat actors using the IN-THROUGH-OUT framework we introduced in our earlier blogs. We show how the threat actors obtained access to networks and highlight their techniques for reconnaissance and lateral movement. Furthermore, we explain how they exfiltrated data and rolled out ransomware within the networks.

IN

In the cases we observed, the ransomware group obtained access to the victim's network through a phishing campaign. When victims opened the attachment of the phishing email, a malicious excel document containing macros dropped Qbot (also known as Qakbot) malware. For more information on Qbot campaigns, check our previous blog here. 

THROUGH

After obtaining initial access, the threat actor typically attempts to perform reconnaissance of the environment using AdFind. As an alternative for AdFind, the threat actor uses a PowerShell script to do the reconnaissance. This script (see below) creates a CSV file containing a list of all workstations within the active directory, listing the system name, Operating System, AD description, last logon time, ipv4 IP address, the guardian information of the workstation, and the primary group of the workstation.

ppp.ps1 $so = New-Object

$so = New-Object System.DirectoryServices.DirectorySearcher; $so.filter = "(&(samAccountType=805306369))"; $so.FindAll()
| Select -Property @{N='Name'; E={$_.properties.samaccountname}},@{N='OS'; E={$_.properties.operatingsystem}},
@{N='Descr'; E={$_.properties.description}},
@{N='LastTime'; E={; [datetime]::FromFileTime($_.properties.lastlogontimestamp -as [string]).ToString('yyyy-MM-dd HH:mm')}},
@{N='IP'; E={$_.properties.ipv4address}},@{N='ManagedBy'; E={$_.properties.managedby}},
@{N='primarygroup'; E={$_.properties.primarygroup}}
| Export-csv ccccOUT.csv -encoding utf8

OUT

After obtaining complete control over the environment, the threat actor uses Rclone to exfiltrate sensitive data from victims' networks to one of its private servers located in Russia. Subsequently, the threat actor disables the antivirus solutions on systems in the network, using either batch scripts deployed via WMI or a group policy. Northwave identified two batch scripts used by the threat actor. We observed the first batch script in multiple attacks containing the functionality to disable Defender Antispyware and real-time monitoring and uninstall Windows defender, as shown below. 

ILUg69sql.bat powershell -ExecutionPolicy Bypass -command "New-ItemProperty -Path 'HKLM:SOFTWAREPoliciesMicrosoftWindows Defender' -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force" powershell -ExecutionPolicy Bypass -command "Set-MpPreference -DisableRealtimeMonitoring 1" powershell -ExecutionPolicy Bypass Uninstall-WindowsFeature -Name Windows-Defender Northwave identified a second batch file in one case, where the threat actor used it to disable Symantec Endpoint protection on systems in the network. smujEqe27H.bat start smc -stop Lastly, the threat actor uses WMI to deploy ransomware within the network. Simultaneously, the threat actor connects to the ESXi hosts of the victim over SSH and starts encryption on the hypervisor level as well, as shown below.

After starting encryption on the hypervisor level, the threat actor returns several times throughout the night to ensure that the encryption runs appropriately, as seen below.

Ransomware

In every ransomware attack, the final stage involves encrypting the actual data of the victim. Hence, the threat actors eventually drop a binary in the victim's environment containing the ransomware. Interestingly, for BlackBasta, we observed three different builds of the ransomware used in a timeframe of approximately three weeks. Firstly, one build contains extended evasion functionality. Secondly, another build attempts to include many methods described above into a single command-line argument (-bomb). Finally, a minimal build is just possessing the core encryption functionality. We describe the three different builds in more detail in the sections below.

Evasion Build

What sets this build apart is its inclusion of a novel detection evasion method and its requirement to run as an administrator. In addition, this build comes packed with code that allows it to act as a standard executable and a service, essentially functioning as a service installer. It does this by opening a handle to the "Fax" service and calling ControlService() with the SERVICE_CONTROL_STOP command on it. After waiting for the service to stop, it uses the GetServiceDisplayName API to obtain the display name for the opened service and save it for later use.

NOTE: The name for the service to impersonate is generated separately from the function that does the impersonating. This might imply that the string is set as part of a configuration and could see a change in future releases.

After stopping the service and taking its name, it will delete it to create a new service with the same name in its place. Only this time, the executable that gets linked to the service is the ransomware binary itself (see below). After registering the ransomware binary with the service manager, it will start preparing the system for a reboot in safe boot mode, probably to evade certain antivirus products. Additionally, it ascertains that the service can get started in safe boot mode before preparing the computer for a reboot by setting the required registry key itself: It then enables booting in safe boot network mode using one of the following commands:

• C:WindowsSysNativebcdedit.exe /set safeboot network
• C:WindowsSystem32bcdedit.exe /set safeboot network
• bcdedit /set safeboot network

After that, the malware reboots the pc by issuing the shell command "/C shutdown -r -f -t 0". What happens next is that when the computer reboots, it will boot in safe boot mode. During the boot sequence, the service manager starts the services set to start automatically, including the ransomware, and will call their ServiceMain function. In case of the ransomware, this function contains the actual core ransomware functionality. We will get into this a little bit later.

Automation Build

The most commonly seen build. This build took a much more straightforward approach to evasion, relying on a packer to scan for signs of dynamic analysis tooling to evade capture. In addition, it attempts to automate some of the steps for the network-wide distribution of ransomware. From all the samples we analysed, this one was the only one to come with a packer. The packer takes three steps before activating the ransomware:

• A very extensive (20+ checks) anti-analysis check
• The loading and decrypting of a base64 encoded payload
• The injecting of the payload

The injection step creates a new process using itself as the target executable and injects the decrypted ransomware payload into it. During analysis, it became apparent that there are many similarities between the packer's functionalities and those described in a 2014 Blackhat paper. Therefore, the threat actor may have taken the code or reimplemented the techniques described in this paper.

NOTE: One interesting side-effect of this packer is that the command line passes a particular string ("OMC_BC") to the new process. Perhaps the developers were unaware of this.

Another feature this build has over the minimal build is the inclusion of command-line argument handling logic. Most likely implemented using a command-line argument parser library, it implements a very robust way of checking for two arguments: -forcepath, -bomb. The first iterations of the medium build that we observed only included support for the -forcepath argument, but recently we have been seeing a yet to be publicly documented new parameter: -bomb. While we have not seen the threat actor use it in practice, in theory, it allows them to run the ransomware on all domain connected workstations by just running the ransomware binary once. Hence, this new functionality automates some essential steps the threat actor used to execute manually, as described in the Methods section above. The automatic ransomware distribution is accomplished by connecting to the AD using the windows LDAP API and iterating over all workstations using the filter string (samAccountType=805306369): With this list of workstations, it will attempt to copy itself onto the remote machines at \c$\Windows\tmp.exe. Afterwards, it will use a COM object, again not unfamiliar to Conti, IWbemClassObject (CLSID: 4590F812-1D3A-11D0-891F-00AA004B2E24). Using the Win32_Process object from the IWbemServices interface, it sets up command line parameters for a call to the Create method to execute the previously copied executable (c:Windowstmp.exe).

Minimal build

The minimal build is a build that comprises only the very fundamentals needed to execute the ransomware attack. While the evasion and automation build extends this build with new functionality, this build makes zero effort to employ fancy techniques or hide anything. The only functionality present in this binary, besides the encryption loop itself, is associating an .ico file with the .basta file extension and changing the desktop wallpaper to the following: Additionally, it attempts to delete the shadow copies using the following command:

• C:WindowsSysNativevssadmin.exe delete shadows /all /quiet

The encryption loop itself uses ChaCha20 to encrypt the files and a 4096 byte RSA public key to encrypt the symmetric key. In addition, for each folder, it sets the following exclusions:

• $Recycle.Bin
• Windows
• Documents and Settings
• Local Settings
• Application Data

For each file, it checks the following filename exclusions:

• OUT.txt
• readme.txt
• dlaksjdoiwq.jpg
• NTUSER.DAT
• fkdjsadasd.ico

If the folder is not in the above list, it will drop a readme.txt file instructing the user how to recover its files:

Conclusion

New face, old tricks. Having emerged recently, this threat actor is still rapidly developing its new crypter. But, while they might be using a newly developed crypter, it is evident that the operators behind this threat are anything but new to the world of cybercrime. Therefore, we will be tracking this potential rebrand as they update their crypter and develop new methods for delivering payloads.

Need Help?

Do you need help with a cyber incident now? Our NW-CERT is available 24*7 to help you recover quickly and securely from any cyber incident. Talk to one of our incident response coordinators directly by calling +31 850 437 909. Northwave is a Dutch Cybersecurity company headquartered in Utrecht (the Netherlands), with a subsidiary in Leipzig (Germany) and Brussels (Belgium). Northwave obtained a license from the Dutch Ministry of Justice and Security to conduct private investigations into (cyber) incidents. Northwave's Computer Emergency Response Team (NW-CERT) members are certified as private investigators and possess extensive experience in digital forensics and cybersecurity. With hundreds of cases yearly, the NW-CERT has gained a vast experience in incident response and crisis management. For more info about the NW-CERT, visit the website.

IOCs