A new analysis of tools has identified ties between Black Basta Ransomware and the FIN7 (aka Carbanak) group.
“This link could suggest either that Black Basta and FIN7 maintain a special relationship or that one or more individuals belong to both groups,” cybersecurity firm SentinelOne said in a technical write-up shared with The Hacker News.
Black Basta, which emerged earlier this year, has been attributed to a ransomware spree that has claimed over 90 organizations as of September 2022. This suggests that the adversary is both well-organized and well-resourced.
One notable aspect that makes the group unique, is the fact that there have been no signs of its operators attempting to recruit affiliates or advertising the malware as a RaaS on darknet forums or crimeware marketplaces.
This has raised the possibility that the Black Basta developers either cut out affiliates from the chain and deploy the ransomware through their own custom toolset or alternatively work with a close set of affiliates without the need to market their warez.
Attack chains involving Black Basta are known to leverage QBot (aka Qakbot), which, in turn, is delivered by means of phishing emails containing macro-based Microsoft Office documents, with newer infections taking advantage of ISO images and LNK droppers to get around Microsoft’s decision to block macros in files downloaded from the web by default.
Also put to use at this stage are backdoors such as SystemBC (aka Coroxy) for data exfiltration and the download of additional malicious modules, before the conducting lateral movement and taking steps to impair defenses by disabling installed security solutions.
This also includes a custom EDR evasion tool that’s been exclusively put to use in Black Basta incidents and comes embedded with a backdoor dubbed BIRDDOG, also called as SocksBot and which has been utilized in several attacks previously attributed to the FIN7 group.
The FIN7 cybercrime syndicate, active since 2012, has a track record of mounting large-scale malware campaigns targeting the point-of-sale (PoS) systems aimed at the restaurant, gambling, and hospitality industries for financial fraud.
“At this point, it’s likely that FIN7 or an affiliate began writing tools from scratch in order to disassociate their new operations from the old,” researchers Antonio Cocomazzi and Antonio Pirozzi said. “It is likely that the developer(s) behind their tools to impair victim defenses is, or was, a developer for FIN7.”
The findings come weeks after the Black Basta actor was observed using the Qakbot trojan to deploy Cobalt Strike and Brute Ratel C4 frameworks as a second-stage payload in recent attacks.
“The crimeware ecosystem is constantly expanding, changing, and evolving,” the researchers concluded. “FIN7 (or Carbanak) is often credited with innovating in the criminal space, taking attacks against banks and PoS systems to new heights beyond the schemes of their peers.”
The disclosure also arrives as the U.S. Financial Crimes Enforcement Network (FinCEN) reported a surge in ransomware attacks targeting domestic entities from 487 in 2020 to 1,489 in 2021, incurring a total cost of $1.2 billion, a 188% jump from $416 million the previous year.