25TH OCT 2024
BlackBasta, a notorious ransomware group, has recently evolved its tactics to target corporations through Microsoft Teams, disguising themselves as help desk personnel. This new approach is a troubling development in social engineering attacks, showing how cybercriminals are adapting to breach security through sophisticated impersonation methods.
Since emerging in April 2022, BlackBasta has been involved in hundreds of ransomware attacks on businesses worldwide. Initially, the group gained notoriety following the disbanding of the Conti cybercrime syndicate. While the Conti group fractured into several splinter groups after significant data leaks, BlackBasta quickly rose as a formidable faction from this breakup.
To access corporate networks, BlackBasta employs a range of methods:
Exploiting System Vulnerabilities: By finding weak spots in company systems.
Collaborations with Botnets: Partnering with botnets to spread malware.
Social Engineering Tactics: Conducting phishing campaigns and manipulating employees.
Earlier this year, BlackBasta launched a wave of social engineering attacks focusing on employee inboxes:
Flooding Emails: The attackers inundate targeted employees with non-malicious emails, including newsletters, sign-up confirmations, and other notifications, filling inboxes with thousands of messages.
Posing as IT Support: After creating chaos in the inbox, BlackBasta members contact employees by phone, impersonating the company’s IT support. They offer to help manage the “spam attack,” using this trust to request remote access.
Using Remote Tools: Victims are guided to install the AnyDesk remote access tool or open Windows Quick Assist. With these tools, attackers execute scripts to gain unauthorized access, installing malicious software like ScreenConnect, NetSupport Manager, and Cobalt Strike for continuous control.
In October, ReliaQuest reported that BlackBasta affiliates shifted from phone-based social engineering to a new approach on Microsoft Teams:
Impersonating IT Help Desk on Teams: Attackers now masquerade as IT help desk personnel on Microsoft Teams, contacting employees directly through external accounts. These accounts, created under Entra ID, appear genuine with names such as “securityadminhelper.onmicrosoft[.]com” or “supportadministrator.onmicrosoft[.]com.”
Creating Trust with Display Names: The attackers set their display names to include “Help Desk” or similar phrases to appear credible. By positioning themselves in OneOnOne chats, they foster a sense of urgency and legitimacy.
Sending QR Codes: Occasionally, they also send QR codes that link to domains like “qr-s1[.]com.” Although the QR code’s purpose remains unclear, researchers suspect it may play a role in the group’s manipulation tactics.
After establishing initial contact, BlackBasta aims to trick employees into installing AnyDesk or launching Quick Assist for device access. Once connected, the attackers deploy malicious payloads such as “AntispamAccount.exe” and “AntispamUpdate.exe,” often flagged on security platforms as dangerous.
These payloads ultimately lead to the installation of Cobalt Strike, a powerful tool allowing BlackBasta to fully compromise the device. From here, they can expand their reach within the corporate network, elevate privileges, exfiltrate data, and deploy ransomware to encrypt files.
With BlackBasta’s tactics constantly evolving, organizations need robust security strategies to counter these threats. ReliaQuest suggests several key steps:
Limit External Communication on Microsoft Teams: Restrict communication with external users unless verified and necessary.
Enable Logging and Monitor Chats: Activate chat logging, especially for “ChatCreated” events, to track unusual activity and identify potential risks.
Employee Training and Awareness: Regularly educate employees on social engineering tactics and the importance of verifying unexpected IT support contacts.
As ransomware groups like BlackBasta and DarkAngels develop increasingly sophisticated social engineering tactics, vigilance and proactive security measures are crucial. Companies can protect their networks by maintaining strict communication protocols, ensuring rigorous logging, and empowering employees with knowledge of the latest threat landscapes.
