Reports from both Microsoft and cybersecurity researchers Rapid7 have detailed a disturbing new tactic employed by hackers. They have been seen combining spam techniques with the Windows built-in remote control and screen-sharing tool, Quick Assist, to deploy the Black Basta ransomware variant. This attack is not only concerning but also represents a new level of creativity in the cybercrime space. The way in which the attackers execute their plan is alarming and demonstrates the evolving nature of cyber threats.
Deploying Black Basta
Before launching the attack, the threat actors, identified as Storm-1811 by Microsoft, first need to obtain the victim’s email address and phone number. Subsequently, they bombard the victim’s inbox with numerous email subscription services. This flood of unwanted messages serves as a distraction and paves the way for the next phase of the attack.
Once the victim is overwhelmed with emails, the attackers then engage in a phone call, posing as either a Microsoft IT technician or the IT help desk of the victim’s company. They offer assistance to resolve the supposed issue and request the victim’s permission to access their Windows devices through Quick Assist. If the victim grants access, it marks the beginning of a dangerous sequence of events:
“Once the user allows access and control, the threat actor runs a scripted cURL command to download a series of batch files or ZIP files used to deliver malicious payloads,” explained Microsoft. “These malicious files, including Qakbot, RMM tools like ScreenConnect and NetSupport Manager, and Cobalt Strike, enable the attackers to move throughout the target network, map it out, and ultimately deploy the Black Basta ransomware variant.”
In addition to deploying Black Basta, Rapid7 highlighted that the attackers also aim to steal as many login credentials from the victim as possible. The researchers at Rapid7 identified a disturbing trend where credentials are harvested under the guise of needing to ‘update’ by prompting the user to log in. The stolen credentials are then swiftly exfiltrated to the threat actor’s server through a Secure Copy command.
“In at least one other observed script variant, credentials are saved to an archive and must be manually retrieved,” mentioned the researchers at Rapid7, shedding light on the sophisticated methods employed by the attackers to gather valuable information.
It is essential for users to remain vigilant and cautious, especially when receiving unsolicited communications or requests for remote access to their devices. With cyber threats constantly evolving and becoming more sophisticated, staying informed and adopting best security practices are crucial in safeguarding against such attacks.
Via BleepingComputer
