Black Basta Ransomware operators leverage QBot for lateral movements

0

Researchers from NCC Group spotted a new partnership in the threat landscape between the Black Basta ransomware group and the QBot malware operation.QBot, aka Qakbot and Pinkslipbot, has been active since 2008, it is used by threat actors for collecting browsing data and banking credentials and other financial information from the victims.


NCC Group researchers discovered the new partnership while investigating a recent incident, unlike past collaborations Black Basta gang is using QBot to spread laterally throughout the target network.

Also Read: Critical Atlassian Confluence zero-day – What You Need to Do

“Black Basta was observed using the following methods to laterally move throughout the network after their initial access had been gained:” reads analysis published by NCC:

  • PsExec.exe which was created in the C:\Windows\ folder.
  • Qakbot was leveraged to remotely create a temporary service on a target host which was configured to execute a Qakbot DLL using regsvr32.exe:
    • regsvr32.exe -s \\<IP address of compromised Domain Controller>\SYSVOL\<random string>.dll
  • RDP along with the deployment of a batch file called rdp.bat which contained command lines to enable RDP logons. This was used to allow the threat actor to establish remote desktop sessions on compromised hosts, even if RDP was disabled originally:
    • reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
    • net start MpsSvc
    • netsh advfirewall firewall set rule group="Remote Desktop" new enable=yes
    • reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "UserAuthentication" /t REG_DWORD /d 0 /f"

Also Read: Latest Cyber Security News – Hacker News !

Experts reported that the threat actor used two main techniques to evade anti-virus detection by disabling Windows Defender.

The first technique leverages the batch script d.bat which was deployed locally on compromised hosts and executed a series of PowerShell commands. The second technique involved creating a GPO (Group Policy Object) on a compromised Domain Controller, which would push out a series of changes to the Windows Registry of domain-joined hosts.

The threat actors used Qakbot to maintain persistence on the victim’s network, experts also observed the use of Cobalt Strike beacons during the compromise.

Also Read: Soc Interview Questions and Answers – CYBER SECURITY ANALYST

The attackers, prior to the deployment of the ransomware, established RDP sessions to Hyper-V servers to modify configurations for the Veeam backup jobs and deleted the backups of the virtual machines used by the victims.

Then the attackers run a script to deliver the ransomware binary to the IP addresses contained within the file C:\Windows\pc_list.txt.

The researchers shared technical details about the ransomware along with the Indicators of Compromise (IoCs).

IOC ValueIndicator TypeDescription
23.106.160[.]188IP AddressCobalt Strike Command-and-Controller server
eb43350337138f2a77593c79cee1439217d02957SHA1Batch script which enabled RDP on the host (rdp.bat)  
920fe42b1bd69804080f904f0426ed784a8ebbc2SHA1Batch script to disable Windows Defender (d.bat)
C:\Windows\PsExec.exeFilenamePsExec
C:\Windows\SYSVOL\sysvol\<random string>.dllFilenameQakbot payload
C:\Windows\Temp\log.info C:\Windows\Temp\log.datFilenameInvoke-TotalExec output log files

Also Read: Lateral Movement Detection with Windows Event Logs

Detection Queries:

Qradar:

SELECT UTF8(payload) from events where LOGSOURCETYPENAME(devicetype)='Microsoft Windows Security Event Log' and ("ParentImage" ilike '%cmd.exe%' or "ParentImage" ilike '%regsvr32.exe%' or "ParentImage" ilike '%powershell.exe%' or "ParentImage" ilike '%vssadmin.exe%') and ("Process CommandLine" ilike '%reg add%' or "Process CommandLine" ilike '%netsh advfirewall%' or "Process CommandLine" ilike '%net start MpsSvc%' or "Process CommandLine" ilike '%Terminal Server%' or "Process CommandLine" ilike '%powershell -ExecutionPolicy Bypass -command "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name DisableAntiSpyware%' or "Process CommandLine" ilike '%vssadmin.exe delete shadows /all /quiet%') and ("Filename" ilike '%pc_list.txt')

Splunk:

(source="WinEventLog:*" AND (ParentImage="*cmd.exe*" OR ParentImage="*regsvr32.exe*" OR ParentImage="*powershell.exe*" OR ParentImage="*vssadmin.exe*") AND (CommandLine="*reg add*" OR CommandLine="*netsh advfirewall*" OR CommandLine="*net start MpsSvc*" OR CommandLine="*Terminal Server*" OR CommandLine="*powershell -ExecutionPolicy Bypass -command \"New-ItemProperty -Path 'HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows Defender' -Name DisableAntiSpyware*" OR CommandLine="*vssadmin.exe delete shadows /all /quiet*") AND (FileName="*pc_list.txt"))

Elastic Query:

(process.parent.executable:(*cmd.exe* OR *regsvr32.exe* OR *powershell.exe* OR *vssadmin.exe*) AND process.command_line:(*reg\ add* OR *netsh\ advfirewall* OR *net\ start\ MpsSvc* OR *Terminal\ Server* OR *powershell\ \-ExecutionPolicy\ Bypass\ \-command\ \"New\-ItemProperty\ \-Path\ 'HKLM\:\\SOFTWARE\\Policies\\Microsoft\\Windows\ Defender'\ \-Name\ DisableAntiSpyware* OR *vssadmin.exe\ delete\ shadows\ \/all\ \/quiet*) AND file.path:*pc_list.txt)

Microsoft Defender:

DeviceProcessEvents | where ((InitiatingProcessFolderPath contains "cmd.exe" or InitiatingProcessFolderPath contains "regsvr32.exe" or InitiatingProcessFolderPath contains "powershell.exe" or InitiatingProcessFolderPath contains "vssadmin.exe") and (ProcessCommandLine contains "reg add" or ProcessCommandLine contains "netsh advfirewall" or ProcessCommandLine contains "net start MpsSvc" or ProcessCommandLine contains "Terminal Server" or ProcessCommandLine contains @"powershell -ExecutionPolicy Bypass -command \"New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name DisableAntiSpyware" or ProcessCommandLine contains "vssadmin.exe delete shadows /all /quiet") and (FolderPath endswith "pc_list.txt"))

ArcSight:

(sourceProcessName CONTAINS "*cmd.exe*" OR sourceProcessName CONTAINS "*regsvr32.exe*" OR sourceProcessName CONTAINS "*powershell.exe*" OR sourceProcessName CONTAINS "*vssadmin.exe*" AND ((destinationServiceName CONTAINS "*reg add*" OR destinationServiceName CONTAINS "*netsh advfirewall*" OR destinationServiceName CONTAINS "*net start MpsSvc*" OR destinationServiceName CONTAINS "*Terminal Server*" OR destinationServiceName CONTAINS "*powershell -ExecutionPolicy Bypass -command \"New-ItemProperty -Path 'HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows Defender' -Name DisableAntiSpyware*" OR destinationServiceName CONTAINS "*vssadmin.exe delete shadows /all /quiet*" OR deviceCustomString1 CONTAINS "*reg add*" OR deviceCustomString1 CONTAINS "*netsh advfirewall*" OR deviceCustomString1 CONTAINS "*net start MpsSvc*" OR deviceCustomString1 CONTAINS "*Terminal Server*" OR deviceCustomString1 CONTAINS "*powershell -ExecutionPolicy Bypass -command \"New-ItemProperty -Path 'HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows Defender' -Name DisableAntiSpyware*" OR deviceCustomString1 CONTAINS "*vssadmin.exe delete shadows /all /quiet*")) AND fileName CONTAINS "*pc_list.txt")

GrayLog:

(ParentImage.keyword:(*cmd.exe* *regsvr32.exe* *powershell.exe* *vssadmin.exe*) AND CommandLine.keyword:(*reg\ add* *netsh\ advfirewall* *net\ start\ MpsSvc* *Terminal\ Server* *powershell\ \-ExecutionPolicy\ Bypass\ \-command\ \"New\-ItemProperty\ \-Path\ 'HKLM\:\\SOFTWARE\\Policies\\Microsoft\\Windows\ Defender'\ \-Name\ DisableAntiSpyware* *vssadmin.exe\ delete\ shadows\ \/all\ \/quiet*) AND FileName.keyword:*pc_list.txt)

Logpoint:

(ParentImage IN ["*cmd.exe*", "*regsvr32.exe*", "*powershell.exe*", "*vssadmin.exe*"] CommandLine IN ["*reg add*", "*netsh advfirewall*", "*net start MpsSvc*", "*Terminal Server*", "*powershell -ExecutionPolicy Bypass -command \"New-ItemProperty -Path 'HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows Defender' -Name DisableAntiSpyware*", "*vssadmin.exe delete shadows /all /quiet*"] FileName IN "*pc_list.txt")

RSA NETWITNESS:

((ParentImage contains 'cmd\.exe', 'regsvr32\.exe', 'powershell\.exe', 'vssadmin\.exe') && (CommandLine contains 'reg add', 'netsh advfirewall', 'net start MpsSvc', 'Terminal Server', 'powershell -ExecutionPolicy Bypass -command \"New-ItemProperty -Path 'HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows Defender' -Name DisableAntiSpyware', 'vssadmin\.exe delete shadows /all /quiet') && (FileName contains 'pc_list\.txt'))


Source/Reference: https://securityaffairs.co/wordpress/132018/hacking/black-basta-ransomware-qbot.html

Previous articleOut-of-Band Application Security Testing – Detection and Response
Next articleNew ‘DogWalk’ Windows zero-day gets free unofficial patches – Detection & Response
Balaganesh is a Incident Responder. Certified Ethical Hacker, Penetration Tester, Security blogger, Founder & Author of Soc Investigation.

LEAVE A REPLY

Please enter your comment!
Please enter your name here