A new analysis of tools put to use by the Black Basta ransomware operation has identified ties between the threat actor and the FIN7 (aka Carbanak) group.
This link “could suggest either that Black Basta and FIN7 maintain a special relationship or that one or more individuals belong to both groups,” cybersecurity firm SentinelOne said in a technical write-up shared with The Hacker News.
Black Basta, which emerged earlier this year, has been attributed to a ransomware spree that has claimed over 90 organizations as of September 2022, suggesting that the adversary is both well-organized and well-resourced.
One notable aspect that makes the group stand out, per SentinelOne, is the fact that there have been no signs of its operators attempting to recruit affiliates or advertising the malware as a RaaS on darknet forums or crimeware marketplaces.
This has raised the possibility that the Black Basta developers either cut out affiliates from the chain and deploy the ransomware through their own custom toolset or alternatively work with a close set of affiliates without the need to market their warez.
Attack chains involving Black Basta are known to leverage QBot (aka Qakbot), which, in turn, is delivered by means of phishing emails containing macro-based Microsoft Office documents, with newer infections taking advantage of ISO images and LNK droppers to get around Microsoft’s decision to block macros in files downloaded from the web by default.
Once Qakbot obtains a persistent foothold in the target environment, the Black Basta operator enters the scene to conduct reconnaissance by connecting to the victim through the backdoor, followed by exploiting known vulnerabilities (e.g., ZeroLogon, PrintNightmare, and NoPac) to escalate privileges.
Also put to use at this stage are backdoors such as SystemBC (aka Coroxy) for data exfiltration and the download of additional malicious modules, before the conducting lateral movement and taking steps to impair defenses by disabling installed security solutions.
This also includes a custom EDR evasion tool that’s been exclusively put to use in Black Basta incidents and comes embedded with a backdoor dubbed BIRDDOG, also called as SocksBot and which has been utilized in several attacks previously attributed to the FIN7 group.
The FIN7 cybercrime syndicate, active since 2012, has a track record of mounting large-scale malware campaigns targeting the point-of-sale (PoS) systems aimed at the restaurant, gambling, and hospitality industries for financial fraud.
Over the past two years, however, the group has switched to ransomware for illicitly generating revenues, first as Darkside and then as BlackMatter and BlackCat, not to mention establishing fake front companies to recruit unwitting penetration testers to stage ransomware attacks.
“At this point, it’s likely that FIN7 or an affiliate began writing tools from scratch in order to disassociate their new operations from the old,” researchers Antonio Cocomazzi and Antonio Pirozzi said. “It is likely that the developer(s) behind their tools to impair victim defenses is, or was, a developer for FIN7.”
The findings come weeks after the Black Basta actor was observed using the Qakbot trojan to deploy Cobalt Strike and Brute Ratel C4 frameworks as a second-stage payload in recent attacks.
“The crimeware ecosystem is constantly expanding, changing, and evolving,” the researchers concluded. “FIN7 (or Carbanak) is often credited with innovating in the criminal space, taking attacks against banks and PoS systems to new heights beyond the schemes of their peers.”
The disclosure also arrives as the U.S. Financial Crimes Enforcement Network (FinCEN) reported a surge in ransomware attacks targeting domestic entities from 487 in 2020 to 1,489 in 2021, incurring a total cost of $1.2 billion, a 188% jump from $416 million the previous year.