Attackers Linked to Black Basta Use SystemBC Malware

A new social engineering campaign connected to the Black Basta ransomware group has been identified, targeting users with credential theft attempts and deploying a malware dropper known as SystemBC.

According to researchers, the attackers use a consistent tactic: sending an initial email bomb followed by phone calls pretending to offer a fake solution. These calls are often made through Microsoft Teams.

The attack proceeds by tricking users into downloading and installing a legitimate remote access software called AnyDesk. This software then serves as a channel for deploying additional malware and extracting sensitive information.

One of the malicious components used is an executable named “AntiSpam.exe,” which falsely claims to download email spam filters and prompts users to enter their Windows credentials for an update.

The malware chain continues with the execution of various binaries, DLL files, and PowerShell scripts. This includes a Golang-based HTTP beacon that contacts a remote server, a SOCKS proxy, and SystemBC itself.

To protect against these threats, it’s recommended to block unauthorized remote desktop applications and be cautious of suspicious calls and texts that appear to come from internal IT staff.

This report coincides with the rise of other prominent malware loaders in 2024, such as SocGholish (also known as FakeUpdates), GootLoader, and Raspberry Robin, which are often used to deliver ransomware, according to data from cybersecurity sources.

“GootLoader has recently entered the top three malware loaders, replacing QakBot as its activity decreases,” noted the cybersecurity firm.

These loaders are frequently advertised on dark web forums, where they are sold through subscription models. This approach provides even less technically skilled cybercriminals with tools for sophisticated attacks, including regular updates and new features to avoid detection.

Phishing attacks are also deploying information stealer malware like 0bj3ctivity Stealer using loaders such as Ande Loader, which features advanced techniques like script obfuscation and memory injection to evade detection.

Recent phishing and social engineering campaigns include:
– ClearFake, which uses compromised webpages to distribute .NET malware disguised as a Google Chrome update.
– A phishing attack utilizing job-related lures to spread AsyncRAT, Pure HVNC, XWorm, and Venom RAT via a Python shellcode loader.
– Fake websites imitating HSBC, Santander, Virgin Money, and Wise to distribute AnyDesk Remote Monitoring and Management (RMM) software, which is then used to steal sensitive data.
– A fraudulent site (“win-rar[.]co”) masquerading as WinRAR, which deploys ransomware, a cryptocurrency miner, and Kematian Stealer from GitHub.
– Drive-by download attacks via malicious ads or compromised sites that deliver NetSupport RAT.
– A social media malvertising campaign hijacking Facebook pages to promote a fake AI photo editor website, which tricks victims into downloading ITarian’s RMM tool and distributing Lumma Stealer.

“The increase in social media-targeted malicious activities underscores the need for strong security measures to safeguard account credentials and prevent unauthorized access,” researchers emphasized.

To defend against attacks linked to the Black Basta group and SystemBC malware, implement strong security practices such as blocking unauthorized remote desktop applications and scrutinizing any unsolicited phone calls or messages that claim to be from IT support. Avoid downloading or installing software from unfamiliar sources and always verify the legitimacy of requests for sensitive information.