Black Basta Ransomware Gang Linked to a SystemBC Malware Campaign

By Pierluigi Paganini, August 15, 2024

The Rise of SystemBC and Black Basta

In the evolving landscape of cybercrime, new alliances and tactics often emerge. Recently, researchers from Rapid7 have linked the notorious Black Basta ransomware group to a strategic social engineering campaign that deploys the SystemBC malware. This connection underscores the evolving methods employed by threat actors to infiltrate organizations and execute their malicious agendas.

Unraveling the Social Engineering Campaign

Rapid7’s investigation reveals that on June 20, 2024, they identified multiple attacks consistent with an ongoing social engineering campaign associated with Black Basta. During these incidents, the attackers appeared to have made critical changes to their toolset, indicating a heightened level of sophistication.

The attack sequence commonly starts with a bombarding wave of emails, often followed by direct contact via platforms like Microsoft Teams. In a calculated move, the attackers present a counterfeit solution to entice users into installing AnyDesk, a legitimate remote desktop tool. This installation grants the attackers remote control over the compromised systems.

The Role of AntiSpam.exe

Central to this campaign is the credential harvesting tool dubbed AntiSpam.exe. Posing as a spam filter updater, this malware prompts unsuspecting users to enter their credentials, which are then captured for later exploitation. This tactic of masquerading as a trusted application is a classic move in the cybercriminal playbook, reflecting the importance of user awareness in preventative strategies.

Diverse Payloads and Tactics

The attackers employed a range of cleverly named payloads to maintain congruence with their initial lure. Alongside SystemBC, they utilized Golang HTTP beacons and Socks proxy beacons to enhance their network infiltration capabilities.

One particularly notable executable, named update6.exe, is designed to exploit the CVE-2022-26923 vulnerability for privilege escalation. This vulnerability, if exploited on vulnerable domain controllers, can allow attackers to add a machine account, providing them further control over the network.

Technical Insights from Rapid7’s Report

The detailed analysis by Rapid7 reveals that upon execution, update6.exe attempts to exploit vulnerabilities to elevate its privileges. One chilling observation was the remaining debugging symbols path, which indicated a potential link to publicly available source code, specifically a module created by Outflank.

In the context of the SystemBC payload, update8.exe retrieves its components from encrypted resources and injects them into a child process, complicating detection efforts. The use of an XOR encryption key to obscure the malware demonstrates an advanced understanding of evasion techniques.

Recommendations for Mitigation

In light of these findings, Rapid7 offers several recommendations for organizations to bolster their defenses against such social engineering tactics:

1. Block Unauthorized Remote Monitoring Tools: Implementing policies to prevent unapproved remote management solutions from executing is crucial. Tools like AppLocker or Microsoft Defender Application Control can help enforce these restrictions.

2. User Education: It’s vital to educate employees about the risks associated with social engineering attacks. Clear communication about official IT channels can empower users to identify and report suspicious activities.

3. Keep Software Updated: Regularly updating software to patch known vulnerabilities—including CVE-2022-26923—can significantly reduce the risk of exploitation.

4. Report Suspicious Activity: Encourage employees to report any peculiar calls or messages from individuals claiming to be IT staff, fostering a culture of vigilance.

Indicators of Compromise

As the report also outlines, organizations should be aware of specific Indicators of Compromise (IoCs) associated with this campaign. Keeping abreast of these indicators can aid in early detection and response to potential breaches.

For real-time updates and further insights, follow me on Twitter: @securityaffairs and connect with me on Facebook or Mastodon.