Executive Summary
Black Basta, according to a new report from SOCRadar, has advanced its tactics by combining new social engineering tactics, malware such as Zbot and DarkGate, and custom tools to infiltrate and compromise targeted networks. With global impact across multiple critical sectors, the group’s innovative methods emphasize the critical need for layered security measures and proactive defense strategies.
Community Impact
Retail and hospitality sectors are at significant risk from Black Basta‘s advanced ransomware campaigns. These industries, with their heavy reliance on digital transactions and customer data, are attractive targets for credential theft and ransomware deployment. The group’s exploitation of remote access tools raises the stakes, as compromised systems in these sectors could lead to service outages and supply chain disruptions. RH-ISAC Core Members are encouraged to review this report, the report linked above and ingest the Indicators of Compromise included below.
Technical Analysis
Black Basta’s evolving campaign demonstrates the group’s ability to integrate sophisticated tactics and tools. The attack typically begins with phishing emails designed to overwhelm inboxes and distract users from malicious communications. Impersonation on Microsoft Teams further amplifies trust, enabling attackers to convince victims to install remote access tools like AnyDesk or TeamViewer. These tools serve as initial gateways for deploying advanced malware.
Malware used by Black Basta includes Zbot, a credential-stealing tool enabling lateral movement, and DarkGate, which executes data exfiltration and ransomware payloads while evading detection through techniques like process hollowing and payload encryption. Custom scripts and bespoke tools further enhance their adaptability to specific environments, making even robust defenses vulnerable.
Evasion techniques such as obfuscation, exploitation of legitimate platforms and QR code-based multi-factor authentication (MFA) bypass highlight Black Basta’s ingenuity. The campaign spans critical sectors globally, with a particular focus on industries handling sensitive data or critical infrastructure.
Mitigations
Mitigation strategies include implementing strong privilege management, endpoint detection tools to flag anomalous activity, robust email filtering, and regular security awareness training. Organizations should also enforce MFA, monitor DNS traffic for irregularities, and use advanced tools to detect memory injection and process manipulation. Additional mitigations also include monitoring indicators of compromise, such as flagged IP addresses, which is essential for identifying potential threats early.
Indicators of Compromise
Below is a list of IP addresses that have been flagged as potential indicators of compromise (IOCs) in relation to Black Basta’s activity, provided by SOCRadar:
172[.]81[.]60[.]122
179[.]60[.]149[.]194
185[.]130[.]47[.]96
188[.]130[.]206[.]243
65[.]87[.]7[.]151
88[.]214[.]25[.]32
94[.]103[.]85[.]114
109[.]172[.]87[.]135
109[.]172[.]88[.]38
145[.]223[.]116[.]66
147[.]28[.]163[.]206
184[.]174[.]97[.]32
185[.]229[.]66[.]224
185[.]238[.]169[.]17
193[.]29[.]13[.]60
212[.]232[.]22[.]140
45[.]61[.]152[.]154
46[.]8[.]232[.]106
46[.]8[.]236[.]61
66[.]78[.]40[.]86
8[.]209[.]111[.]227
8[.]211[.]34[.]166
91[.]212[.]166[.]91
93[.]185[.]159[.]253
