Black Basta
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Black Basta has used PowerShell scripts for discovery and to execute files over the network.(Citation: Trend Micro Black Basta May 2022)(Citation: Trend Micro Black Basta Spotlight September 2022)(Citation: NCC Group Black Basta June 2022) |
| .003 | Command and Scripting Interpreter: Windows Command Shell |
Black Basta can use `cmd.exe` to enable shadow copy deletion.(Citation: Deep Instinct Black Basta August 2022) |
||
| Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
Black Basta can create a new service to establish persistence.(Citation: Minerva Labs Black Basta May 2022)(Citation: Avertium Black Basta June 2022) |
| Enterprise | T1491 | .001 | Defacement: Internal Defacement |
Black Basta has set the desktop wallpaper on victims' machines to display a ransom note.(Citation: Minerva Labs Black Basta May 2022)(Citation: BlackBerry Black Basta May 2022)(Citation: Cyble Black Basta May 2022)(Citation: Trend Micro Black Basta May 2022)(Citation: Avertium Black Basta June 2022)(Citation: NCC Group Black Basta June 2022)(Citation: Deep Instinct Black Basta August 2022)(Citation: Palo Alto Networks Black Basta August 2022)(Citation: Check Point Black Basta October 2022) |
| Enterprise | T1480 | .002 | Execution Guardrails: Mutual Exclusion |
Black Basta will check for the presence of a hard-coded mutex `dsajdhas.0` before executing.(Citation: Deep Instinct Black Basta August 2022) |
| Enterprise | T1222 | .002 | File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification |
The Black Basta binary can use `chmod` to gain full permissions to targeted files.(Citation: Uptycs Black Basta ESXi June 2022) |
| Enterprise | T1562 | .009 | Impair Defenses: Safe Mode Boot |
Black Basta can reboot victim machines in safe mode with networking via `bcdedit /set safeboot network`.(Citation: Minerva Labs Black Basta May 2022)(Citation: Cyble Black Basta May 2022)(Citation: Trend Micro Black Basta May 2022)(Citation: Avertium Black Basta June 2022)(Citation: Palo Alto Networks Black Basta August 2022) |
| Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
Black Basta has established persistence by creating a new service named `FAX` after deleting the legitimate service by the same name.(Citation: Minerva Labs Black Basta May 2022)(Citation: Cyble Black Basta May 2022)(Citation: Trend Micro Black Basta May 2022) |
| .005 | Masquerading: Match Legitimate Name or Location |
The Black Basta dropper has mimicked an application for creating USB bootable drivers.(Citation: Check Point Black Basta October 2022) |
||
| Enterprise | T1027 | .001 | Obfuscated Files or Information: Binary Padding |
Black Basta had added data prior to the Portable Executable (PE) header to prevent automatic scanners from identifying the payload.(Citation: Check Point Black Basta October 2022) |
| Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
The Black Basta dropper has been digitally signed with a certificate issued by Akeo Consulting for legitimate executables used for creating bootable USB drives.(Citation: Check Point Black Basta October 2022) |
| Enterprise | T1204 | .002 | User Execution: Malicious File |
Black Basta has been downloaded and executed from malicious Excel files.(Citation: Trend Micro Black Basta May 2022)(Citation: Trend Micro Black Basta Spotlight September 2022) |
| Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
Black Basta can check system flags and libraries, process timing, and API's to detect code emulation or sandboxing.(Citation: Palo Alto Networks Black Basta August 2022)(Citation: Check Point Black Basta October 2022) |
References
- Avertium. (2022, June 1). AN IN-DEPTH LOOK AT BLACK BASTA RANSOMWARE. Retrieved March 7, 2023.
- Cyble. (2022, May 6). New ransomware variant targeting high-value organizations. Retrieved March 7, 2023.
- Elsad, A. (2022, August 25). Threat Assessment: Black Basta Ransomware. Retrieved March 8, 2023.
- Inman, R. and Gurney, P. (2022, June 6). Shining the Light on Black Basta. Retrieved March 8, 2023.
- Vilkomir-Preisman, S. (2022, August 18). Beating Black Basta Ransomware. Retrieved March 8, 2023.
- Zargarov, N. (2022, May 2). New Black Basta Ransomware Hijacks Windows Fax Service. Retrieved March 7, 2023.
- Check Point. (2022, October 20). BLACK BASTA AND THE UNNOTICED DELIVERY. Retrieved March 8, 2023.
- Gonzalez, I., Chavez I., et al. (2022, May 9). Examining the Black Basta Ransomware’s Infection Routine. Retrieved March 7, 2023.
- Trend Micro. (2022, September 1). Ransomware Spotlight Black Basta. Retrieved March 8, 2023.
- Ballmer, D. (2022, May 6). Black Basta: Rebrand of Conti or Something New?. Retrieved March 7, 2023.
- Sharma, S. and Hegde, N. (2022, June 7). Black basta Ransomware Goes Cross-Platform, Now Targets ESXi Systems. Retrieved March 8, 2023.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.