Black Basta Using QBot Banking Trojan Malware to Target US-Based Companies

QBot Backdoor Opens Systems to Loading Cobalt Strike, Ransomware and Other Malware

Researchers say the Black Basta group is dropping QBot malware — also called QakBot — in a widespread ransomware campaign targeting mostly U.S.-based companies. QBot malware is a banking Trojan primarily designed to steal banking data, including browser information, keystrokes and credentials. Its previous targets include JPMorgan Chase, Citibank, Bank of America, Citizens, Capital One and Wells Fargo.

In the group’s latest campaign, attackers are again using QBot to install a backdoor and then drop in encryption malware and other malicious code. The attack usually commences within 12 hours of the initial breach.

The Black Basta ransomware gang surfaced in April 2022 and is known for using double-extortion tactics. “They steal sensitive files and information from victims and later use it to extort victims by threatening to publish the data unless the ransom is paid,” researchers say.

In one example, researchers describe how a QBot infection resulted in multiple key machines loading Cobalt Strike, which triggered the deployment of Black Basta ransomware. It then locked the victim out of the network by disabling DNS services, making recovery more difficult.

Multiple infections of Black Basta using QBot were observed in early November. They began with a spam/phishing email containing malicious URL links. QBot was the primary way for Black Basta to maintain a presence on victims’ networks and disable their security mechanisms, such as EDR and antivirus programs.

Deployment of Black Basta

The attack typically begins with a phishing email that infects targeted machines and expands control of the network to gather information and credentials to further deploy Black Basta ransomware into as many systems as possible.

They also scan for the EDR installed on the machine through the wmic.exe executable. The hacker manually spawns a cmd.exe process on one server and then tries to uninstall the EDR/antivirus.

Once the ransomware is deployed, it generates a ransom note file named “readme.txt” in each encrypted folder of every infected machine. Once created, the actual file encryption process executes, files on each machine are encrypted and a random extension is added to each file.