Black Basta Ransomware Gang Infiltrates networks via QAKBOT, Brute Ratel, and Cobalt Strike

QAKBOT’s malware distribution resumed on September 8, 2022 following a brief hiatus, when our researchers spotted several distribution mechanisms on this date. The distribution methods observed included SmokeLoader (using the ‘snow0x’ distributor ID), Emotet (using the ‘azd‘ distributor id), and malicious spam that used the ‘BB’ and ‘Obama20x’ IDs.

A recent case involving the QAKBOT ‘BB’ distributor led to the deployment of Brute Ratel (detected by Trend Micro as Backdoor.Win64.BRUTEL) — a framework similar to Cobalt Strike — as a second-stage payload. This is a noteworthy development because it is the first time we have observed Brute Ratel as a second-stage payload via a QAKBOT infection.

The attack also involved the use of Cobalt Strike itself for lateral movement. We attribute these activities to the threat actors behind the Black Basta ransomware.

Read more…
Source: Trend Micro