The notorious Black Basta ransomware group has escalated its social engineering tactics by using Microsoft Teams to target employees, posing as corporate IT help desks offering assistance with “spam issues.” Since April 2022, Black Basta has launched numerous ransomware attacks on corporations worldwide, evolving its methods to increase reach and effectiveness.
The Origins and Evolution of Black Basta
After the disbandment of the Conti cybercrime group in June 2022 due to a series of high-profile data breaches, several former members splintered into new factions, one of which is believed to be Black Basta. This ransomware group breaches corporate networks through diverse techniques, including exploiting software vulnerabilities, partnering with botnets, and engaging in social engineering schemes.
In a recent advisory, cybersecurity firms Rapid7 and ReliaQuest reported on a Black Basta campaign that bombarded employees’ inboxes with a flood of spam emails. These emails contained seemingly harmless content—newsletter sign-ups, confirmation emails, and verification messages—but were designed to inundate the user’s inbox, creating an overwhelming situation. Threat actors then pose as the company’s IT support, offering to "help" clear the inbox and prompting users to install remote support tools.
During these interactions, attackers persuade the targeted employee to install AnyDesk or use Windows Quick Assist, providing them with direct access to the employee’s device. Once connected, they deploy scripts to install persistent access tools such as ScreenConnect, NetSupport Manager, and Cobalt Strike, allowing them to move laterally within the network and ultimately deploy ransomware.
Transition to Microsoft Teams: A New Approach to Social Engineering
In October, ReliaQuest observed that Black Basta affiliates had shifted their social engineering attacks to Microsoft Teams. Following the initial email flooding, these attackers reach out to employees through Microsoft Teams, impersonating IT support to assist with the perceived spam issue. Using profiles created on Entra ID tenants, they select names like:
- securityadminhelper.onmicrosoft[.]com
- supportserviceadmin.onmicrosoft[.]com
- supportadministrator.onmicrosoft[.]com
- cybersecurityadmin.onmicrosoft[.]com
The attackers set their display names to appear like legitimate help desk contacts, often padding the name with spaces for emphasis within the chat window. The targeted employees are typically added to "OneOnOne" chats, creating a more intimate setting to gain their trust.
Deceptive Techniques and Malicious Payloads
Black Basta actors have been observed sending QR codes within Microsoft Teams chats, directing employees to domains such as qr-s1[.]com. Although the exact purpose of these QR codes remains unclear, the researchers caution that they could be used to guide victims to malicious sites or further phishing schemes.
Once they have engaged the target, the attackers prompt the installation of remote access tools. They often use misleading filenames like "AntispamAccount.exe," "AntispamUpdate.exe," and "AntispamConnectUS.exe" to make their malware appear as legitimate tools. Some of these files have been identified on VirusTotal as instances of SystemBC, a proxy malware previously linked to Black Basta, which serves to establish persistent, covert control over the compromised device. With Cobalt Strike installed, attackers gain complete access to the device, which acts as a launchpad for further intrusion into the network.
Defense Strategies Against Black Basta’s Tactics
To defend against these evolving social engineering tactics, ReliaQuest suggests that organizations restrict external communication in Microsoft Teams or, if external contact is essential, limit it to trusted domains only. Enabling comprehensive logging, particularly for ChatCreated events, can help IT security teams identify suspicious activity, such as unauthorized chats with external users.
As Black Basta continues to adapt its methods, staying vigilant and implementing robust security protocols is essential to mitigate the risks posed by increasingly sophisticated ransomware groups.
0 Comments