Detecting QakBot Malware Campaign Leading to Black Basta Ransomware Infections

Ransomware is a number one threat posing a significant menace to security defenders worldwide, with the attack trend constantly growing throughout 2021-2022. Recently, security experts revealed a massive QakBot malware campaign increasingly targeting U.S.-based vendors to deliver Black Basta ransomware. 

During the last decade of November 2022, at least 10 businesses in the United States have fallen victim to a series of aggressive attacks. In all cases, QakBot (aka QBot or Pinkslipbot) acts as an initial entry point for Black Basta operators who rely on the malicious strain to maintain persistence across the targeted infrastructure. 

Detect Black Basta Ransomware Infections Using QakBot Malware

With the relatively novel Black Basta RaaS ring advancing its arsenal and enriching it with novel custom tools and techniques, cybersecurity experts should be timely equipped with relevant defensive capabilities to thwart ransomware attacks of such scale and impact. SOC Prime’s Detection as Code platform aggregates a set of Sigma rules by our keen Threat Bounty developers Osman Demir and Zaw Min Htun to detect Black Basta ransomware relying on QakBot for infection. 

Possible Black-Basta Attack [QakBot] (November 2022) Lateral Movement Activity By Detection of Associated Process (via process_creation)

This rule detects Cobalt Strike payload execution with the rundll32.exe SetVolume commands. The detection supports translations to 20 SIEM, EDR & XDR platforms and is aligned with MITRE ATT&CK® framework addressing the Defense Evasion tactic with the corresponding Signed Binary Proxy Execution (T1218) technique.

Suspicious Aggressive Qakbot Campaign Execution by Detection of Associated Commands [Targeting U.S. Companies] (via powershell)

The rule above detects the malicious behavior associated with PowerShell used in the course of the latest QakBot campaign to query information against Active Directory Domain Services with the System.DirectoryServices.DirectorySearcher class. The detection supports translations to 13 SIEM, EDR & XDR platforms and is aligned with the MITRE ATT&CK framework addressing the xecution tactic with the corresponding PowerShell (T1086) and Command and Scripting Interpreter (T1059) techniques.

Skilled cybersecurity practitioners striving to enrich their Detection Engineering and Threat Hunting skills can join the ranks of our Threat Bounty Program to make their own contribution to collective industry expertise. Participation in the Program enables detection content authors to monetize their professional skills while helping build a safer digital future. 

To keep abreast of rapidly evolving Black Basta ransomware and QakBot malware attacks, security teams can leverage the entire collection of relevant Sigma rules available in SOC Prime’s platform by clicking the buttons below.

Explore QakBot Detections Explore Black Basta Detections

Analyzing QakBot Malware Campaign by Black Basta Ransomware Gang

The latest inquiry by Cybereason reveals that QakBot acts as an initial entry point during the Black Basta attacks against U.S. companies. The attack typically starts with a spam or phishing email containing a malicious disk image file. If opened, the file triggers QakBot execution, followed by the Cobalt Strike payload being retrieved from the remote server. 

At the next stage, the malware performs credential harvesting and lateral movement activities aimed at breaching as many endpoints as possible with the harvested login data. Finally, the Black Basta ransomware payload is dropped onto the targeted network. 

Notably, in several of the observed attacks, the campaign operators disabled DNS services to lock the victim out of the network and make the recovery process almost impossible. 

It’s not the first time Black Basta maintainers rely on QakBot to proceed with malicious actions. In October 2022, the ransomware gang was observed entailing QakBot to deliver the Brute Ratel C4 framework leveraged to drop Cobalt Strike. The latest series of cyber attacks only prove a significant shift in QakBot operations being revamped to install attack frameworks and sell access to various threat actors. 

With a rapidly growing number of ransomware attacks, proactive detection is key to strengthening the organization’s cybersecurity posture. Obtain 650+ Sigma rules to identify current and emerging ransomware attacks and always stay one step ahead of adversaries. Reach 30+ rules for free or gain the entire detection stack with On Demand at http://my.socprime.com/pricing.