Researchers from NCC Group spotted a new partnership in the threat landscape between the Black Basta ransomware group and the QBot malware operation.QBot, aka Qakbot and Pinkslipbot, has been active since 2008, it is used by threat actors for collecting browsing data and banking credentials and other financial information from the victims.
NCC Group researchers discovered the new partnership while investigating a recent incident, unlike past collaborations Black Basta gang is using QBot to spread laterally throughout the target network.
Also Read: Critical Atlassian Confluence zero-day – What You Need to Do
“Black Basta was observed using the following methods to laterally move throughout the network after their initial access had been gained:” reads analysis published by NCC:
- PsExec.exe which was created in the C:\Windows\ folder.
- Qakbot was leveraged to remotely create a temporary service on a target host which was configured to execute a Qakbot DLL using regsvr32.exe:
regsvr32.exe -s \\<IP address of compromised Domain Controller>\SYSVOL\<random string>.dll
- RDP along with the deployment of a batch file called rdp.bat which contained command lines to enable RDP logons. This was used to allow the threat actor to establish remote desktop sessions on compromised hosts, even if RDP was disabled originally:
reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
net start MpsSvc
netsh advfirewall firewall set rule group="Remote Desktop" new enable=yes
reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "UserAuthentication" /t REG_DWORD /d 0 /f"
Also Read: Latest Cyber Security News – Hacker News !
Experts reported that the threat actor used two main techniques to evade anti-virus detection by disabling Windows Defender.
The first technique leverages the batch script d.bat which was deployed locally on compromised hosts and executed a series of PowerShell commands. The second technique involved creating a GPO (Group Policy Object) on a compromised Domain Controller, which would push out a series of changes to the Windows Registry of domain-joined hosts.
The threat actors used Qakbot to maintain persistence on the victim’s network, experts also observed the use of Cobalt Strike beacons during the compromise.
Also Read: Soc Interview Questions and Answers – CYBER SECURITY ANALYST
The attackers, prior to the deployment of the ransomware, established RDP sessions to Hyper-V servers to modify configurations for the Veeam backup jobs and deleted the backups of the virtual machines used by the victims.
Then the attackers run a script to deliver the ransomware binary to the IP addresses contained within the file C:\Windows\pc_list.txt.
The researchers shared technical details about the ransomware along with the Indicators of Compromise (IoCs).
IOC Value | Indicator Type | Description |
23.106.160[.]188 | IP Address | Cobalt Strike Command-and-Controller server |
eb43350337138f2a77593c79cee1439217d02957 | SHA1 | Batch script which enabled RDP on the host (rdp.bat) |
920fe42b1bd69804080f904f0426ed784a8ebbc2 | SHA1 | Batch script to disable Windows Defender (d.bat) |
C:\Windows\PsExec.exe | Filename | PsExec |
C:\Windows\SYSVOL\sysvol\<random string>.dll | Filename | Qakbot payload |
C:\Windows\Temp\log.info C:\Windows\Temp\log.dat | Filename | Invoke-TotalExec output log files |
Also Read: Lateral Movement Detection with Windows Event Logs
Detection Queries:
Qradar:
SELECT UTF8(payload) from events where LOGSOURCETYPENAME(devicetype)='Microsoft Windows Security Event Log' and ("ParentImage" ilike '%cmd.exe%' or "ParentImage" ilike '%regsvr32.exe%' or "ParentImage" ilike '%powershell.exe%' or "ParentImage" ilike '%vssadmin.exe%') and ("Process CommandLine" ilike '%reg add%' or "Process CommandLine" ilike '%netsh advfirewall%' or "Process CommandLine" ilike '%net start MpsSvc%' or "Process CommandLine" ilike '%Terminal Server%' or "Process CommandLine" ilike '%powershell -ExecutionPolicy Bypass -command "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name DisableAntiSpyware%' or "Process CommandLine" ilike '%vssadmin.exe delete shadows /all /quiet%') and ("Filename" ilike '%pc_list.txt')
Splunk:(source="WinEventLog:*" AND (ParentImage="*cmd.exe*" OR ParentImage="*regsvr32.exe*" OR ParentImage="*powershell.exe*" OR ParentImage="*vssadmin.exe*") AND (CommandLine="*reg add*" OR CommandLine="*netsh advfirewall*" OR CommandLine="*net start MpsSvc*" OR CommandLine="*Terminal Server*" OR CommandLine="*powershell -ExecutionPolicy Bypass -command \"New-ItemProperty -Path 'HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows Defender' -Name DisableAntiSpyware*" OR CommandLine="*vssadmin.exe delete shadows /all /quiet*") AND (FileName="*pc_list.txt"))
Elastic Query:(process.parent.executable:(*cmd.exe* OR *regsvr32.exe* OR *powershell.exe* OR *vssadmin.exe*) AND process.command_line:(*reg\ add* OR *netsh\ advfirewall* OR *net\ start\ MpsSvc* OR *Terminal\ Server* OR *powershell\ \-ExecutionPolicy\ Bypass\ \-command\ \"New\-ItemProperty\ \-Path\ 'HKLM\:\\SOFTWARE\\Policies\\Microsoft\\Windows\ Defender'\ \-Name\ DisableAntiSpyware* OR *vssadmin.exe\ delete\ shadows\ \/all\ \/quiet*) AND file.path:*pc_list.txt)
Microsoft Defender:DeviceProcessEvents | where ((InitiatingProcessFolderPath contains "cmd.exe" or InitiatingProcessFolderPath contains "regsvr32.exe" or InitiatingProcessFolderPath contains "powershell.exe" or InitiatingProcessFolderPath contains "vssadmin.exe") and (ProcessCommandLine contains "reg add" or ProcessCommandLine contains "netsh advfirewall" or ProcessCommandLine contains "net start MpsSvc" or ProcessCommandLine contains "Terminal Server" or ProcessCommandLine contains @"powershell -ExecutionPolicy Bypass -command \"New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name DisableAntiSpyware" or ProcessCommandLine contains "vssadmin.exe delete shadows /all /quiet") and (FolderPath endswith "pc_list.txt"))
ArcSight:(sourceProcessName CONTAINS "*cmd.exe*" OR sourceProcessName CONTAINS "*regsvr32.exe*" OR sourceProcessName CONTAINS "*powershell.exe*" OR sourceProcessName CONTAINS "*vssadmin.exe*" AND ((destinationServiceName CONTAINS "*reg add*" OR destinationServiceName CONTAINS "*netsh advfirewall*" OR destinationServiceName CONTAINS "*net start MpsSvc*" OR destinationServiceName CONTAINS "*Terminal Server*" OR destinationServiceName CONTAINS "*powershell -ExecutionPolicy Bypass -command \"New-ItemProperty -Path 'HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows Defender' -Name DisableAntiSpyware*" OR destinationServiceName CONTAINS "*vssadmin.exe delete shadows /all /quiet*" OR deviceCustomString1 CONTAINS "*reg add*" OR deviceCustomString1 CONTAINS "*netsh advfirewall*" OR deviceCustomString1 CONTAINS "*net start MpsSvc*" OR deviceCustomString1 CONTAINS "*Terminal Server*" OR deviceCustomString1 CONTAINS "*powershell -ExecutionPolicy Bypass -command \"New-ItemProperty -Path 'HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows Defender' -Name DisableAntiSpyware*" OR deviceCustomString1 CONTAINS "*vssadmin.exe delete shadows /all /quiet*")) AND fileName CONTAINS "*pc_list.txt")
GrayLog:(ParentImage.keyword:(*cmd.exe* *regsvr32.exe* *powershell.exe* *vssadmin.exe*) AND CommandLine.keyword:(*reg\ add* *netsh\ advfirewall* *net\ start\ MpsSvc* *Terminal\ Server* *powershell\ \-ExecutionPolicy\ Bypass\ \-command\ \"New\-ItemProperty\ \-Path\ 'HKLM\:\\SOFTWARE\\Policies\\Microsoft\\Windows\ Defender'\ \-Name\ DisableAntiSpyware* *vssadmin.exe\ delete\ shadows\ \/all\ \/quiet*) AND FileName.keyword:*pc_list.txt)
Logpoint: (ParentImage IN ["*cmd.exe*", "*regsvr32.exe*", "*powershell.exe*", "*vssadmin.exe*"] CommandLine IN ["*reg add*", "*netsh advfirewall*", "*net start MpsSvc*", "*Terminal Server*", "*powershell -ExecutionPolicy Bypass -command \"New-ItemProperty -Path 'HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows Defender' -Name DisableAntiSpyware*", "*vssadmin.exe delete shadows /all /quiet*"] FileName IN "*pc_list.txt") RSA NETWITNESS:((ParentImage contains 'cmd\.exe', 'regsvr32\.exe', 'powershell\.exe', 'vssadmin\.exe') && (CommandLine contains 'reg add', 'netsh advfirewall', 'net start MpsSvc', 'Terminal Server', 'powershell -ExecutionPolicy Bypass -command \"New-ItemProperty -Path 'HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows Defender' -Name DisableAntiSpyware', 'vssadmin\.exe delete shadows /all /quiet') && (FileName contains 'pc_list\.txt'))
Source/Reference: https://securityaffairs.co/wordpress/132018/hacking/black-basta-ransomware-qbot.html