Hackers have been observed combining spam, a classic IT tech support scam, and Windows built-in remote control and screen-sharing tool, Quick Assist, to deploy the Black Basta ransomware variant.
Reports from both Microsoft, and cybersecurity researchers Rapid7 outlined how the attack is also quite creative and not something that’s often seen in the cybercrime space.
Before the actual attack, the threat actors (which Microsoft identified as Storm-1811) need to obtain two things: the victim’s email address, and phone number.
Deploying Black Basta
After that, the attackers will sign the victim up for countless email subscription services. As a result, the victim’s inbox will get absolutely hammered with newsletters, email notifications, and similar unwanted messages.
Then, they will call them on the phone, and impersonate either a Microsoft IT technician, or the IT help desk of the company the victim works for. They will offer to help sort out the problem, and will ask the victim to grant them access to their Windows devices through Quick Assist. Once the victims grant access, it’s practically game over:
“Once the user allows access and control, the threat actor runs a scripted cURL command to download a series of batch files or ZIP files used to deliver malicious payloads,” Microsoft said. “In several cases, Microsoft Threat Intelligence identified such activity leading to the download of Qakbot, RMM tools like ScreenConnect and NetSupport Manager, and Cobalt Strike.”
These tools help the attackers move laterally throughout the target network, map it out, and ultimately – deploy the Black Basta ransomware variant.
Besides deploying Black Basta, Rapid7 added that the attackers would also steal as many login credentials from the victim as they can.
“The credentials are gathered under the false context of the ‘update’ requiring the user to log in. In most of the observed batch script variations, the credentials are immediately exfiltrated to the threat actor’s server via a Secure Copy command (SCP),” Rapid7’s researchers said.
“In at least one other observed script variant, credentials are saved to an archive and must be manually retrieved.”
Via BleepingComputer