October 18, 2022

According to researchers from the cybersecurity firm Trend Micro, the operators of the Black Basta ransomware are using the Qakbot trojan to deploy the Brute Ratel C4 framework. Attackers use the strategy as a second stage payload, as observed in recent attacks.

To carry out an attack, the threat actors use a phishing e-mail containing an armed link that include a ZIP archive. The ZIP file in the email contains an ISO file, which in turn contains a LNK file that fetches the Qakbot payload.

It is already known that Qakbot is an information stealer and banking trojan that can turn into a downloader, making it a coveted weapon in the hands of threat actors.

Once the Qakbot infection is successful, automated reconnaissance through built-in command line tools such as arp, ipconfig, nslookup, netstat, and whoami is performed followed by the retrieval of of Brute Ratel and Cobalt Strike.

“The Qakbot-to-Brute Ratel-to-Cobalt Strike kill chain is associated with the group behind the Black Basta Ransomware. This is based on overlapping TTPs and infrastructure observed in Black Basta attacks,” the researchers said.

The researchers were also able to uncover various techniques used by Qakbot in recent months: HTML file attachments, DLL side-loading, and email thread hijacking, and bulk email harvesting from ProxyLogon attacks.

The sources for this piece include an article in TheHackerNews.