{ "name": "Black Basta Ransomware Campaign Drops Zbot, DarkGate, and Custom Malware", "slug": "black-basta-ransomware-campaign-drops-zbot-darkgate-and-custom-malware", "description": "A resurgence of activity related to the Black Basta ransomware campaign has been observed since early October. The threat actors have refined their tactics, introducing new malware payloads, improved delivery methods, and enhanced defense evasion techniques. The attacks begin with email bombing of target users, followed by social engineering attempts via Microsoft Teams. Operators impersonate IT staff and trick users into installing remote management tools. Once access is gained, they deploy credential harvesters, Zbot, DarkGate, and custom malware. The campaign has been linked to Black Basta ransomware deployments in the past, highlighting its serious nature. The attackers continue to update their strategies and tools rapidly, demonstrating sophisticated and persistent threat behavior.", "published": "2024-12-09T21:32:46+00:00", "created_at": "2024-12-09T21:32:46+00:00", "modified_at": "2024-12-11T16:09:07+00:00", "created_at_opencti": "2024-12-09T21:32:46+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2024-12-09", "blackbasta", "darkgate", "ransomware", "zbot" ], "related_entities": { "observables": [ { "id": "", "name": "93.185.159.253" }, { "id": "", "name": "91.212.166.91" }, { "id": "", "name": "8.211.34.166" }, { "id": "", "name": "8.209.111.227" }, { "id": "", "name": "66.78.40.86" }, { "id": "", "name": "46.8.236.61" }, { "id": "", "name": "46.8.232.106" }, { "id": "", "name": "212.232.22.140" }, { "id": "", "name": "193.29.13.60" }, { "id": "", "name": "185.238.169.17" }, { "id": "", "name": "185.229.66.224" }, { "id": "", "name": "184.174.97.32" }, { "id": "", "name": "147.28.163.206" }, { "id": "", "name": "145.223.116.66" }, { "id": "", "name": "109.172.88.38" }, { "id": "", "name": "109.172.87.135" }, { "id": "", "name": "94.103.85.114" }, { "id": "", "name": "88.214.25.32" }, { "id": "", "name": "65.87.7.151" }, { "id": "", "name": "188.130.206.243" }, { "id": "", "name": "185.130.47.96" }, { "id": "", "name": "179.60.149.194" }, { "id": "", "name": "172.81.60.122" }, { "id": "", "name": "45.61.152.154" }, { "id": "", "name": "doc2.docu-duplicator.com" }, { "id": "", "name": "doc1.docu-duplicator.com" }, { "id": "", "name": "doc.docu-duplicator.com" }, { "id": "", "name": "dns.winsdesignater.com" }, { "id": "", "name": "summerrain.cloud" }, { "id": "", "name": "posetoposeschool.com" }, { "id": "", "name": "mailh.org" }, { "id": "", "name": "dropmeafile.com" }, { "id": "", "name": "crystallakehotels.com" }, { "id": "", "name": "brownswer.com" }, { "id": "", "name": "blazingradiancesolar.com" }, { "id": "", "name": "bigdealcenter.world" }, { "id": "", "name": "fb444e7bb7c8f48207ceeba8bad9c2b9ae9c726ac28916c5be5390ba67c2c77c" }, { "id": "", "name": "ef28a572cda7319047fbc918d60f71c124a038cd18a02000c7ab413677c5c161" }, { "id": "", "name": "ee79f4e87e0b393c952b478c9a30f35802c09f93e899ecf6b40d8d6625188031" }, { "id": "", "name": "ec669387150865b59bbf98b41a770235ba4fd632aab33433c2d493460ef52479" }, { "id": "", "name": "ebbe6a9e1188e2ee1651b5c68b6b508fb52b9e8896dbbeb0f4e126961ba94982" }, { "id": "", "name": "c69ab262ac3f73277c4b9a777a408f57feb618e2e00bc2e66e8d97274083c742" }, { "id": "", "name": "d90afa08e38c15bb3e48187e436645b42d4d856e219242cb6c33085c4c1611db" }, { "id": "", "name": "c675130390b4ee16ea72dea30807939b1306d373c5b7ffe0cf1d2afaffc402b6" }, { "id": "", "name": "c50271cc3e26651a5b5384894490c7153c56b86435e61b5ca206f8e9c5c5542f" }, { "id": "", "name": "c4942f989530f09b499978721d282998eaa77be31a4361ac6250f1df721decb9" }, { "id": "", "name": "9a21ec5a25dfe7ca51d4a843a96bfb6e650dc999d3b6d4bd771571359b3bea0a" }, { "id": "", "name": "95a6c06ac691bec0ac2140b6590c96488feb8bc6c3ca501d1fe8ee7cbf9d0f8b" }, { "id": "", "name": "97daf5e1b2519a655397173fb5af346f9435fb4acf097d10ad4ffde464d21c09" }, { "id": "", "name": "729f08249b9f55f17fe7762d6c41c619127e0a7798194b7ff18f06003ff3d041" }, { "id": "", "name": "71e08a89ecdfac3bb490bec6c4115cfd71de744897fd8b7dd7383646e911858e" }, { "id": "", "name": "717aed4c123a3cde0695818f7038c1092d9dcd7c910ac5ddba96d5e348e1337f" }, { "id": "", "name": "67c8bc21bbdcc59f7fd2b0a6f0f6c98f0076a0142e94cb3f158155e0ca9ac71a" }, { "id": "", "name": "5e9fbae0b94f6e36717bbd2c997981ba438d7efd800e76924f73452a69c04051" }, { "id": "", "name": "5fef7a5db4b1c216c9fc37d55143e5b635e8833d82f95004bb4fb47060fdf447" }, { "id": "", "name": "57d8296dd901491d37e7c79d0fe95188f3b7c94affc71c8e732daea8369cfa4f" }, { "id": "", "name": "4f30d975121d44705a79c4f5c8aeba80d8c97c8ef10c86fee011b99f12b173b4" }, { "id": "", "name": "474ba7f2fb18b7b55fc077513cda6f6d36fb79e58065c556724ea049a392e327" }, { "id": "", "name": "42ffc3eb728ccc83cf4f115c6a3e32c01ef80869b9f2c4f2d62a7a88c7bf4bc2" }, { "id": "", "name": "3b7e06f1ccaa207dc331afd6f91e284fec4b826c3c427dffd0432fdc48d55176" }, { "id": "", "name": "38ee04ee9d3b3912013d54483d8f822eebd0367408b369bc09f46cb339a54313" }, { "id": "", "name": "2f5301125627331f56db76046d177493d8b0a814cdd9cafad3981aad97383163" }, { "id": "", "name": "2a8a49d9c25d786a5108a53d0b3281677b299540f54580a7b49aa8de78ec0ee1" }, { "id": "", "name": "1896ab744e436ca52a1c6c64a4608dbb8e5597e35d13be1f3c56bc65eb44e532" }, { "id": "", "name": "1656c55c8516bd650fe59b71a5886ecf508deb927ed3c8465cf0ad5923c35958" }, { "id": "", "name": "14aad4fcc77e5fd7e7782c9c5714d1a4187e60e75a765b71d5d41b920bbae31a" }, { "id": "", "name": "146494eb276fc4539bffa6896b958e29a417a5959a5c10d100caf48514b66864" }, { "id": "", "name": "0482dc9c6ed46e247682e1d4ae5c5a037ef0b66f3b22af9ae25ac072028dd7a2" }, { "id": "", "name": "db34e255aa4d9f4e54461571469b9dd53e49feed3d238b6cfb49082de0afb1e4" }, { "id": "", "name": "a9f2c4bc268765fc6d72d8e00363d2440cf1dcbd1ef7ee08978959fc118922c9" }, { "id": "", "name": "49405370a33abbf131c5d550cebe00780cc3fd3cbe888220686582ae88f16af7" }, { "id": "", "name": "22c5858ff8c7815c34b4386c3b4c83f2b8bb23502d153f5d8fb9f55bd784e764" } ], "malware": [ { "id": "legacy:malware:43ec71b6d2e421d7", "name": "TinyZBot - S0004", "slug": "tinyzbot-s0004" }, { "id": "legacy:malware:7c078901ec82eaf2", "name": "DarkGate - S1111", "slug": "darkgate-s1111" }, { "id": "legacy:malware:4b474c7d91ebdc7d", "name": "Black Basta - S1070", "slug": "black-basta-s1070" } ], "intrusion_sets": [ { "id": "0bece76f-74f5-4f83-9e2d-61c964917309", "name": "BlackBasta", "slug": "blackbasta" } ], "attack_patterns": [ { "id": "397ed6b1-0142-4167-b0e0-bd69a9adf819", "name": "T1566.003" }, { "id": "195d9773-4de3-4f61-b94d-a2b53cb65608", "name": "T1021.001" }, { "id": "ecaaa4cc-d487-4002-bcb2-f769acfcc38f", "name": "T1490" }, { "id": "16e4fc82-7c0b-4d1a-b784-b804b4df26dc", "name": "T1204.001" }, { "id": "52b92395-d3d3-4e05-976a-0fccccfce8d2", "name": "T1566.002" }, { "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6", "name": "T1204.002" }, { "id": "97d377d8-89c7-48f8-a79f-0f48bd60df74", "name": "T1005" }, { "id": "d9f271ed-7685-4362-b90d-f16a14102f39", "name": "T1489" }, { "id": "f1bb7823-4f4b-4565-b472-bf0cfca467b1", "name": "T1486" }, { "id": "dc410646-9cdd-427b-92e7-179a54f78f90", "name": "T1566.001" }, { "id": "45082a8e-9c79-470e-ad1b-decac7188e8f", "name": "T1083" }, { "id": "50514c04-b3a2-4abf-a855-e3a434200c87", "name": "T1204" }, { "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d", "name": "T1566" }, { "id": "9f11a241-9abc-4c57-95dd-33955ab08826", "name": "T1078" } ] }, "external_refs": [ "https://www.rapid7.com/blog/post/2024/12/04/black-basta-ransomware-campaign-drops-zbot-darkgate-and-custom-malware", "https://github.com/rapid7/Rapid7-Labs/blob/main/IOCs/BlackBasta_SocialEngineering_IOCs.txt", "https://otx.alienvault.com/pulse/6757700ec99901364ceb88f2" ] }