Kroll has continued to monitor BLACKBASTA actors leveraging QAKBOT to provide an initial foothold within the network. Interestingly, the use of QAKBOT has evolved since previous reporting and is now being used to install Cobalt Strike, directly reducing the dwell time of the threat actor to within one to two days. Typically, QAKBOT is delivered by a phishing email containing a hypertext markup language (HTML) attachment, which itself downloads a zip file once opened. In Q1, Kroll also observed instances where QAKBOT was delivered via customer support software, harkening back to a tactic Kroll reported on in 2021, where actors leverage live chat applications to deliver malware.
This zip file will contain a .lnk file that masquerades as a document. This contains a command to download a JavaScript file that downloads the QAKBOT dynamic link library (dll) before injecting it into a legitimate Windows process, “wermgr.exe”. A standard set of initial reconnaissance commands are executed and sent back to the command and control (C2) server, which include “net share” and “ipconfig /all”.
BLACKBASTA actors then gain hands-on control via Cobalt Strike and attempt to Kerberoast credentials and “pass-the-hash" to move laterally via the “getmac.exe” injected process. Once the threat actor has identified files of interest for exfiltration, Rclone is used to automate the extraction to cloud storage. After the actor has completed the previous steps, a BLACKBASTA encryptor is downloaded, which is typically named after the victim. Once executed, files are appended with an extension “.basta”, a ransom note is placed within each directory named “instructions_read_me.txt” and the desktop wallpaper is changed. If the victim does not respond to the demands, their name is then listed on the group’s “shaming” site before copies of exfiltrated documents are released.
Detecting Data Exfiltration
Detecting exfiltration of data and responding quickly to a true positive can make the difference between the loss of megabytes and gigabytes of data. It also serves as one of the last detection opportunities before ransomware deployment.
Network monitoring can be used to detect large amounts of data leaving the corporate network, but there are many methods for threat actors to avoid detection by network monitoring tools. This is also compounded by the distributed nature of remote work and thus pure network monitoring may not suit all organizations. Threat actors may adopt a “low and slow” approach to exfiltration whereby data is sent in smaller pieces over a longer period of time to blend in with daily flows of data. Prior to exfiltration, threat actors may also encrypt data to avoid detection via advanced network monitoring, which identifies the type of data moving across the network.
On the endpoint: Kroll consistently observes the Rclone tool used by ransomware actors to sync data to remote file storage locations. It is imperative that the deployment and behavior of this tool is detected, and its unauthorized use should be considered an imminent threat of ransomware deployment to be acted upon immediately. Similarly, Kroll has observed the “Caldera” adversary simulation tool used to send files to remote servers. Detection of this technique can be achieved by investigating the system pagefile, system resource usage monitor (SRUM) and the UsnJrnl ($J).
We also provide a high-level Sigma rule for detection of Rclone deployment and execution.
Detecting compression of large files can also be an indicator that a threat actor will soon begin exfiltrating data, commonly done with tooling such as 7zip, WinRAR or zlib. But simply detecting the usage of these tools can lead to high numbers of false positive detections, and thus this should be combined with detections for other behaviors.
Preventative Measures
Network administrators can prevent access to common file-sharing sites that are used by ransomware operators such as MEGA. Consider blocking the following domains.
- *.mega.co.nz
- mega.nz
- file.io
- uploaded.net
- 4shared.com
- anonfiles.com
- anonymfiles.com
- send.exploit.in
- ufile.io
- sendspace.com
- rapidgator.net
Ensure that network segmentation effectively separates areas of the network either logically or physically, especially those that handle backup data.
Monitoring of Cloud Environments
To best protect cloud environments, organizations should implement foundational network security practices, such as limiting the number of public IP addresses that provide access to cloud resources. They can shrink the attack surface further by blocking unauthorized traffic with a Web Application Firewall.
A Climate of Reinvention Demands Continued Vigilance
While the dismantling of certain types of threat actor groups would at first seem to be positive news for organizations, our findings for Q1 2023 show that the story is more complicated.
Power shifts among RaaS groups have led to the emergence of lone “splinter” actors that, despite not yet possessing the scope or scale of established groups, are certainly capable of inflicting extensive damage in order to achieve their aims. Although the professional services sector was the key focus for independent ransomware threat actors in Q1 2023, it is quite possible that other sectors will be targeted in the months to come. With attackers of many types adapting both themselves and their tools, and previously dormant groups reactivating, reinvention very much characterizes the current state of the threat landscape.
At a time of ongoing global economic turbulence and increasingly democratized cybercrime, the security environment is likely to be defined by more new variants of methods and attackers in the near future. Faced with this prospect, organizations cannot afford to be complacent, especially as recent Kroll research highlights overconfidence around cyber preparedness can come at a high cost. To counter these risks, organizations need to be ready to continually review and adapt their stance to cybersecurity. Ensuring that key controls are in place is an important starting point but being effectively equipped in the current fragmented and ever-diversifying threat landscape demands much more than this. Organizations will benefit from continued vigilance, supported by the insight and expertise of a trusted security partner who is able to advise, act and adapt alongside them in response to fast-changing conditions. Doing so will stand businesses in good stead in what is likely to continue to be a turbulent year for cybersecurity.
Download the Report
