The threat actors behind the line ransomware Black Basta has been observed using the Qakbot trojan to deploy the Brute Ratel C4 framework as a second-stage payload in recent attacks.
Cybersecurity firm Trend Micro says this development marks the first time software nascent adversary simulations are delivered through a Qakbot infection, cybersecurity firm Trend Micro said in a technical analysis published last week.
The intrusion, achieved using a phishing email contains a weaponized link that points to a ZIP archive, further leading to the use of Cobalt Strike for side scrolling.
While these legitimate utilities are designed to conduct penetration testing activities, their ability to provide remote access has made them lucrative tools in the hands of attackers looking for information. stealthy way of probing a compromised environment without attracting attention for long periods of time.
This is compounded by the fact that a cracked version of Brute Ratel C4 began circulating last month on the cybercriminals’ underground, prompting its developer to update its licensing algorithm to make it’s harder to crack.
Qakbot, also known as QBot and QuackBot, is an information stealer and banking trojan known to be active since 2007. But its modular design and ability to act as a downloader have made it an attractive candidate for additional malware removal.
According to Trend Micro, the ZIP file in the email contains an ISO file, which then includes a Qakbot payload fetching LNK file, illustrating the efforts of part of the threat actors to adapt other tactics following Microsoft’s decision block macros by default for documents downloaded from the web.
The Qakbot infection was successful by retrieving Brute Ratel and Cobalt Strike, but not before performing automated reconnaissance via built-in command line tools such as arp, ipconfig, nslookup, netstat and whoami.
However, the attack was halted before the threat agent took any malicious action, although it is suspected that the ultimate goal could be a domain-wide ransomware deployment.
In another string of Qakbot executables discovered by the cybersecurity firm, the ZIP file was distributed through an increasingly popular method known as HTML smuggling, resulting in the execution of Brute Ratel C4 as the second stage. two.
The Qakbot-to-Brute Ratel-to-Cobalt Strike kill chain is linked to the group behind the Black Basta Ransomware, the researchers said. “This is based on the overlapping TTPs and infrastructures observed in the Black Basta attacks.”
The findings coincide with a resurgence of Qakbot attacks in recent months using a variety of techniques such as HTML attachments, DLL sideloading, and email chain hijacking, the last of which entails row collection. email series from successful ProxyLogon attacks against Microsoft Exchange servers.
IcedID agents diversify delivery methods
Qakbot is far from unique access-as-a-service malware that is being increasingly distributed via ISO and other file formats to bypass macro restrictions, for Emotet, IcedID and Bumblebee campaigns all follow the same trajectory.
Palo Alto Networks Unit 42, late September 2022, said it discovered a malicious multi-conspiracy Microsoft Compiled HTML Help (CHM) file being used to distribute the IcedID (aka IcedID) malware. is BokBot).
According to Team Cymru, other prominent distribution methods and infection routes involve the use of password-protected ZIP files containing ISO files, copying Qakbot’s files, with payloads passed through a pay-per-installer service called PrivateLoader.
And, on top of that, Emotet appears to be getting ready for a new set of attacks after a brief three-month hiatus to rework its “systeminfo” module to “improve targeting specific victims.” and distinguish tracking bots from real users,” ESET revealed in a series of tweets.
Jean-Ian Boutin, director of threat research at ESET, told The Hacker News: “We haven’t seen a new wave of spam from Emotet since July. “It’s not clear why.”
“They’ve taken a break a few times before, but never for that long. Perhaps this new module means that they are testing modules and will be back in action in the near future, but of course this is just speculation.”