Hackers have been observed combining spam, a classic IT support scam, and Windows' built-in remote control and screen sharing tool, Quick Assist, to deploy the Black Basta ransomware variant.
Reports from Microsoft and cybersecurity researchers Rapid7 described how the attack is also quite creative and not something that is often seen in the cybercrime space.
Before the actual attack, the threat actors (which Microsoft identified as Storm-1811) need to obtain two things: the victim's email address and phone number.
Black Basta Implementation
After that, the attackers will register the victim on countless email subscription services. As a result, the victim's inbox will be absolutely flooded with newsletters, email notifications and similar spam messages.
They will then call them on the phone and pretend to be a Microsoft IT technician or the IT help desk of the company the victim works for. They will offer to help fix the problem and ask the victim to grant them access to their Windows devices through Quick Assist. Once victims grant access, it's practically game over:
“Once the user allows access and control, the threat actor executes a programmed cURL command to download a series of batch files or ZIP files used to deliver malicious payloads,” Microsoft said. “In several cases, Microsoft Threat Intelligence identified such activity leading to the download of Qakbot, RMM tools such as ScreenConnect and NetSupport Manager, and Cobalt Strike.”
These tools help attackers move laterally across the target network, map it, and ultimately deploy the Black Basta ransomware variant.
In addition to deploying Black Basta, Rapid7 added that the attackers would also steal as many of the victim's login credentials as they could.
“Credentials are collected under the fake 'update' context that requires the user to log in. In most batch script variations observed, credentials are immediately leaked to the threat actor's server via of a secure copy command (SCP)”. Rapid7 researchers said.
“In at least one other script variant observed, credentials are saved to a file and must be retrieved manually.”
Via BleepingComputer
