Black Basta Ransomware Attacks Linked to FIN7 Threat Actor

by admin 0 Comments

Security
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn

The individuals behind the Black Basta ransomware have been linked to hacking operations conducted by the FIN7 threat actors.

According to a new advisory by SentinelLabs, Black Basta actors have used a custom defense impairment tool (found exclusively in incidents by this specific threat actor) in several instances.

“Our investigation led us to a further custom tool […] an executable packed with UPX [Ultimate Packer for Executables],” SentinelLabs wrote.

“The unpacked sample is a binary compiled with Visual Basic. The main functionality is to show a fake Windows Security GUI and tray icon with ‘healthy’ system status, even if Windows Defender and other system functionalities are disabled.”

The security researchers added that analysis of the tool led the team to additional samples, one of which included an unknown packer that, once unpacked, was identified as BIRDDOG (aka SocksBot), a backdoor used in multiple operations by FIN7 threat actors.

“We assess it is likely the threat actor developing the impairment tool used by Black Basta is the same actor with access to the packer source code used in FIN7 operations, thus establishing for the first time a possible connection between the two groups,” SentinelLabs explained.

The cybersecurity company has also established other ties between the two hacking groups.

“Initially, FIN7 used POS (Point of Sale) malware to conduct financial frauds. However, since 2020 they switched to ransomware operations, affiliating to REvil, Conti and also conducting their own operations.”

According to SentinelLabs, the threat actor or an affiliate began writing tools from scratch to disassociate their new operations from the old.

FIN7 (or Carbanak) is often credited with innovating in the criminal space, taking attacks against banks and PoS systems to new heights beyond the schemes of their peers,” the advisory reads.

“As we clarify the hand behind the elusive Black Basta ransomware operation, we aren’t surprised to see a familiar face behind this ambitious closed-door operation. While there are many new faces and diverse threats in the ransomware and double extortion space, we expect to see the existing professional criminal outfits putting their own spin on maximizing illicit profits in new ways.”

The SentinelLabs advisory comes weeks after a report from Ivanti suggested that ransomware, including Black Basta, has grown by 466% since 2019 and is being used increasingly as a precursor to physical war.

This article was originally published by Infosecurity-magazine.com. Read the original article here.
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn

Products You May Like

Articles You May Like

Intel and Lenovo BMCs Contain Unpatched Lighttpd Server Flaw
CISA Urges Immediate Credential Reset After Sisense Breach
Ex-Security Engineer Jailed 3 Years for $12.3 Million Crypto Exchange Thefts
Popular Rust Crate liblzma-sys Compromised with XZ Utils Backdoor Files
Russian APT Deploys New ‘Kapeka’ Backdoor in Eastern European Attacks

Leave a Reply

Your email address will not be published. Required fields are marked *