Black Basta Ransomware - Protergo Cyber Security

Chapter 1: Key Trends and Outlook

Black Basta Ransomware is one of the popular ransomware that began its campaign in April 2022. The first variant of Black Basta was first identified by SentinelOne, and later revealed that Black Basta operates as a ransomware-as-a-service (RaaS). Black Basta is often compared to Conti, and was suspected of having the same actors due to the similar MO and ransom notes, however researchers haven’t found any strands from Black Basta that lead to the Conti actors.

Highly motivated by financial reasoning, Black Basta targets critical infrastructures as a way to extort high-profile targets. According to the CISA “Black Basta affiliates have targeted over 500 private industry and critical infrastructure entities, including healthcare organizations, in North America, Europe, and Australia”. Healthcare industry is highly lucrative and attractive due to its massive size and the disruption a ransomware could imply towards the overall operation, elevating the emergency status for the victim to obey the ransom. In addition, Black Basta actors utilize a double extortion method in order to increase the chances of the ransom success.

Black Basta is still highly active and evolving. In the current times, Black Basta is predominantly becoming more aggressive towards launching their campaign to the healthcare sector, with the latest major case includes the successful attack campaign launched to Ascension, a US based major healthcare network that operates 140 hospitals and 40 senior care facilities across 19 states and the District of Columbia.

Chapter 2: Technical Analysis

MITRE ATT&CK TTPs

INITIAL ACCESS

Normally, Black Basta actors utilize a spear phishing campaign as a method to obtain access towards the victim’s system. However, the utilization of Qakbot was also spotted as a piercing method in one of their campaigns. Qakbot is originally intended as a banking trojan for stealing user’s credentials, as the time progresses.

Qakbot has evolved as a multipurpose tool with one of the many capabilities including dropping malware in campaigns such as in Black Basta, Conti, Prolock, Egregor, REvil, MegaCortex, Black Basta, Royal, and PwndLocker.

In the recent campaign, it was noticed that Black Basta actors were also utilizing vishing (voice phishing) to follow up their spear phishing attempt. The actors impersonated the Microsoft Quick Assist team and were known for utilizing remote monitoring and management (RMM) tools like ScreenConnect and NetSupport Manager to gain control towards the victim’s system.

Notable vulnerabilities Black Basta actors exploited within their lateral movement phase includes:
● (CVE-2024-1709) affecting ConnectWise Screen Connect

Update (November 8th 2024): Recent techniques include email bombing—a tactic used to send a large volume of spam emails—to aid social engineering over Microsoft Teams and trick victim end users into providing initial access via remote monitoring and management (RMM) tools.

DISCOVERY AND EXECUTION

Black Basta actors utilize SoftPerfect Network Scanner (netscan.exe) to discover the victim’s system network. These tools were hidden within the victim’s drive in C: and were masqueraded utilizing innocuous file names that don’t perceive threats like “intel” or “dell”.

LATERAL MOVEMENT

BITSAdmin and PsExec were utilized by the Black Basta actors to drop and execute malicious scripts, often paired with RDP, as a way to conduct lateral movement. In addition, several other tools like Splashtop, Screen Connect, and Cobalt Strike beacons were also associated as assisting tools to conduct lateral movement.

Notable vulnerabilities Black Basta actors exploited within their lateral movement phase includes:
● (CVE-2022-27925) affecting Zimbra

PRIVILEGE ESCALATION

Mimikatz were observed as the most common method utilized by the Black Basta actors as a credential scraping tool to elevate their privilege within one’s system. However, it was often spotted that Black Basta actors utilized known vulnerabilities a software might have to elevate their access.

Notable vulnerabilities Black Basta actors exploited within their attack campaign includes:
● ZeroLogon (CVE-2020-1472) affecting Windows’ NETLOGON Protocol
● NoPac (CVE-2021-42278 and CVE-2021-42287) affecting Microsoft Active Directory
● PrintNightmare (CVE-2021-34527) affecting Windows’ Print Spooler

DEFENSE EVASION

Several defense evasion were spotted by the Black Basta actors, namely the utilization of PowerShell to disable the victim’s system antivirus or deploying Backstab, a tool to disable Endpoint Detection and Response (EDR). By turning off the system’s defense system, the campaign can easily proceed to the final phase of exfiltration and data encryption.

EXFILTRATION AND ENCRYPTION

Before the encryption process began, Black Basta actors exfiltrate victim’s data utilizing RClone in order to conduct the post campaign strategy, namely double extortion, that threatens to release or sell the victim’s exfiltrated data if the victim refuses to satisfy the ransom.

Once the exfiltration succeeds, Black Basta actors use a ChaCha20 algorithm with an RSA-4096 public key to encrypt all the file within the victim’s system and modify the files’ extension towards “.basta”. Then, a “readme.txt” file was left as a ransom note to the victims.

To further disrupt the victim’s operation, vssadmin.exe was also executed to delete volume shadow copies of the files in order to inhibit the file recovery process.

Chapter 3: Update February 24th 2025, Leaked Internal Chat History

On February 11, 2025, a series of leaked chat logs from the Matrix communication protocol revealed critical insights into Black Basta’s internal dysfunction. These logs, covering September 18, 2023, to September 28, 2024, show increasing tensions within the group. Leadership conflicts, unfulfilled ransom negotiations, and the mishandling of technical operations plagued the organization. Members frequently struggled with malware deployment, encountering last-minute technical failures that jeopardized their attacks. Some operators even collected ransom payments without providing victims with a working decryption key, further damaging the group’s reputation.

The leaks also indicate that Black Basta’s leadership, particularly Oleg Nefedovaka (aliases: GG, AA, Trump), made decisions for personal financial gain rather than for the collective benefit of the group. This caused frustration among key administrators like “Lapa,” who felt overworked, underpaid, and often insulted by higher-ranking members. These tensions ultimately led to a loss of trust, with some members defecting to other ransomware operations.

In addition, the leak also shows us a glimpse of the Black Basta Ransomware operation background, including the strategies to attain more revenue through pressurized negotiations and the newly released IOCs.

BLACK BASTA’S ATTACK ON RUSSIAN BANKS & INTERNAL CONFLICT

One of the most controversial revelations in the leaks is Black Basta’s involvement in attacking Russian banking institutions. This move was unexpected, as ransomware groups with ties to Russia typically avoid targeting domestic organizations to evade scrutiny from Russian law enforcement. The decision led to immediate internal backlash, particularly from “Cortes,” a well-known Qakbot affiliate. Cortes was reportedly surprised that a Russian-linked ransomware group would launch such attacks and actively distanced himself and the Qakbot botnet from these operations.

Although the leaks do not indicate that Russian law enforcement has taken direct action against Black Basta, the possibility of future repercussions remains. This uncertainty likely contributed to internal instability, as members became increasingly concerned about the potential fallout from these actions.

KEY ACTORS AND THEIR ROLES

The chat logs provide insight into several key figures within Black Basta’s hierarchy. “Lapa,” a high-level administrator responsible for operational coordination, was frequently overwhelmed and dissatisfied with the group’s leadership. Another key figure, “YY,” managed support operations but became vulnerable after multiple arrests within the group. “Tramp” (also known as Larva-18) was responsible for maintaining a spam network that distributed Qakbot malware, though his activities became a source of conflict. Additionally, “Bio,” formerly known as “Pumba” from the Conti ransomware group, played a significant role in managing Black Basta’s risk and ransom negotiations. However, his arrest further destabilized the group, leading to even greater uncertainty about its future.

LEADERSHIP CONFLICTS & OPERATIONAL DYSFUNCTION

● Power Struggles
The group’s leader, Oleg Nefedovaka (aka GG, AA, Trump), was accused of prioritizing personal financial gain over the interests of the team. Disputes over decision-making and exclusion of members (e.g., @nickolas attempted to remove a leadership figure) led to fractures within the group.

● Payment Dispute
Developers and coders, particularly those responsible for ransomware development (e.g., MAKAP – coder ssd), were promised 10% payments but only received 5%, leading to dissatisfaction and delays in malware development.

● Targeting Disagreements
Internal arguments arose over attacking Russian banking infrastructure, with Qakbot affiliates such as “Cortes” refusing to support these attacks. This created a divide within the group, causing key members to withhold resources and botnet access.

● Member Defection
Key members, including developers and administrators, defected to other ransomware groups such as Cactus and Akira, signaling the beginning of Black Basta’s fragmentation.

SECURITY FAILURES & INTERNAL THREATS

● Unauthorized Access & Data Exfiltration:
Internal logs suggest that RDP sessions were established at unapproved times, raising concerns over unauthorized access by external actors or insiders. Data leaks were suspected within the group, with @nickolas hinting that stolen credentials were being systematically collected and accessed by unauthorized parties.

● Compromised Infrastructure:
The ransomware operation relied on a Windows-based infrastructure, with data aggregation tools potentially integrated with log collection systems like Splunk or Graylog. Suspicion emerged that law enforcement, such as the FBI, may have gained visibility into their backend systems, particularly their “Aggregator / Parser System”, which was used for credential validation and leak analysis.

● Code Sabotage:
Concerns were raised about unauthorized modifications to the ransomware code, potentially exposing group members or introducing vulnerabilities into the malware.

FINANCIAL AND TECHNICAL CAPABILITIES

Despite its internal struggles, Black Basta maintained substantial financial resources. The leaked logs reveal that the group purchased an Ivanti zero-day exploit for $200,000, demonstrating its ability to invest heavily in advanced attack methods. This aligns with previous intelligence that showed Black Basta leveraging zero-day vulnerabilities and custom malware to maximize the effectiveness of its campaigns.

However, the chat leaks also highlight the group’s operational inefficiencies. Members frequently experienced deployment issues, scrambling to fix malware execution errors just before launching attacks. This suggests that while Black Basta had significant resources, its ability to execute well-coordinated ransomware campaigns was declining. The instability within the group likely exacerbated these technical challenges, making it difficult for them to maintain the same level of efficiency seen in earlier years.

RANSOM DEMANDS & NEGOTIATION PROCESS

Ransom Amount:
● Initial Offer: $479,000
● Final Offer: $1,750,000 (Negotiated at a 50% discount)
● Payment Deadline: Discount applied if payment is made within 48 hours.

Initial Offers & Company Responses:
● Black Basta’s Initial Demand: $1,750,000
● Company’s Counteroffer: $1,000,000
● Negotiation Progress: Throughout the negotiation, demands increased, and companies were pressured into payment.

PAYMENT STRATEGIES

● Discount Offer for Quick Payment: 20% discount offered for faster payments.
● Extension of Payment Deadlines: Payment deadlines were extended for higher ransom amounts.
● Threats of Data Leakage: Some victims failed to pay and were threatened with data leaks (double extortion).

RANSOM NOTES AND THREATS

● Data Leak Threats: Victims were warned that their data would be leaked if ransom was not paid.
● Timer Usage: A timer was used to threaten the victim with data release.
● Messages: Messages included “an automatic decryption key will be provided post-payment,” although there were also discussions suggesting manual intervention.

CRYPTOCURRENCY WALLETS & PAYMENT METHODS

Cryptocurrencies Used:
● Bitcoin (BTC)
● Monero (XMR)
● Tether (USDT – TRC-20)

Wallet Addresses:

Bitcoin (BTC):
bc1qfn6vndc6mhlvvtx54ehyq7z6vel8kkctj0e0sa
bc1qvwntvw5sxtsavaya85up958pjn2eysaqcflffe
bc1qn0z8etys62cljzwjxl80k9y5nag7pq42s9lyes
bc1qsvukyqlpxpnzhedsxeyp7mmza3d9c43fslvs5e
bc1qyu9vwxthn2s0zhe8rqae5m2mg0w7lct3fxkk96
bc1qj8k6hx9xz2rv5usvt4r2fs5agyudhr5uzxcle8
bc1qyvaa2uwwgf34m3qggzmptcrm45tppfppyhhhde

Monero (XMR):
84JskFBoUddXz1bUn329NeSLw7rfxZkbJiQN7eJdtkDvZDHTPMvHEJkDGNaW47sQfC9jaQ4EDFkgxGJxof4uEgonCdY2HnK
88M7PZfDZSs3DWB6BY99uKVcnSFAsHr6eEhPmBD2psSyU6hv4EHYB6cGjpysZwEbQKTHCz3JfsiWMZLiDMoZZMSKQddFS66
86e6VhUFFHdZDrm4QJHag915m4zGxuXsi3UAyGpTDsPR4CLCnvmJ7zzanmx7Q7KJg846ZrmT911TBEMAZQq24Kqn2xpPqVZ

Ethereum (ETH):
0x010165F27A933Ac77534Ee72CE58550dC241AB16
0x2b48f85312a7e6F952A773e1234cB340FD472D9e

Tether (USDT – TRC-20):
TCws332kET8czTuhcBemmmeSrCbTDb2nyD
TNgjeQgr8dPSwK2UkhFtNpGK795cJ3yKjL

NEW INDICATORS OF COMPROMISE (IoCs)

The leaked chat logs contain a variety of IoCs, which can help security teams detect and prevent Black Basta-related attacks. These new IoCs include:

● IP Addresses: Used for command-and-control (C2) communication and lateral movement.
● Domains: Associated with ransomware payload delivery and victim communication portals.
● Hashes: Corresponding to various Black Basta ransomware variants.

Chapter 4: IOCs of Black Basta Ransomware

MALICIOUS FILES (SHA-256)

0112e3b20872760dda5f658f6b546c85f126e803e27f0577b294f335ffa5a298
d3683beca3a40574e5fd68d30451137e4a8bbaca8c428ebb781d565d6a70385e
88c8b472108e0d79d16a1634499c1b45048a10a38ee799054414613cc9dccccc
58ddbea084ce18cfb3439219ebcf2fc5c1605d2f6271610b1c7af77b8d0484bd
39939eacfbc20a2607064994497e3e886c90cd97b25926478434f46c95bd8ead
5b2178c7a0fd69ab00cef041f446e04098bbb397946eda3f6755f9d94d53c221
51eb749d6cbd08baf9d43c2f83abd9d4d86eb5206f62ba43b768251a98ce9d3e
d15bfbc181aac8ce9faa05c2063ef4695c09b718596f43edc81ca02ef03110d1
5942143614d8ed34567ea472c2b819777edd25c00b3e1b13b1ae98d7f9e28d43
05ebae760340fe44362ab7c8f70b2d89d6c9ba9b9ee8a9f747b2f19d326c3431
a7b36482ba5bca7a143a795074c432ed627d6afa5bc64de97fa660faa852f1a6
86a4dd6be867846b251460d2a0874e6413589878d27f2c4482b54cec134cc737
07117c02a09410f47a326b52c7f17407e63ba5e6ff97277446efc75b862d2799
96339a7e87ffce6ced247feb9b4cb7c05b83ca315976a9522155bad726b8e5be
1c1b2d7f790750d60a14bd661dae5c5565f00c6ca7d03d062adcecda807e1779
360c9c8f0a62010d455f35588ef27817ad35c715a5f291e43449ce6cb1986b98
0554eb2ffa3582b000d558b6950ec60e876f1259c41acff2eac47ab78a53e94a
9a55f55886285eef7ffabdd55c0232d1458175b1d868c03d3e304ce7d98980bc
62e63388953bb30669b403867a3ac2c8130332cf78133f7fd4a7f23cdc939087
7ad4324ea241782ea859af12094f89f9a182236542627e95b6416c8fb9757c59
350ba7fca67721c74385faff083914ecdd66ef107a765dfb7ac08b38d5c9c0bd
90ba27750a04d1308115fa6a90f36503398a8f528c974c5adc07ae8a6cd630e7
fafaff3d665b26b5c057e64b4238980589deb0dff0501497ac50be1bc91b3e08
acb60f0dd19a9a26aaaefd3326db8c28f546b6b0182ed2dcc23170bcb0af6d8f
d73f6e240766ddd6c3c16eff8db50794ab8ab95c6a616d4ab2bc96780f13464d
f039eaaced72618eaba699d2985f9e10d252ac5fe85d609c217b45bc8c3614f4
723d1cf3d74fb3ce95a77ed9dff257a78c8af8e67a82963230dd073781074224
ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e
fff35c2da67eef6f1a10c585b427ac32e7f06f4e4460542207abcd62264e435f
df5b004be71717362e6b1ad22072f9ee4113b95b5d78c496a90857977a9fb415
462bbb8fd7be98129aa73efa91e2d88fa9cafc7b47431b8227d1957f5d0c8ba7
3c50f6369f0938f42d47db29a1f398e754acb2a8d96fd4b366246ac2ccbe250a
5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa
37a5cd265f7f555f2fe320a68d70553b7aa9601981212921d1ac2c114e662004
3090a37e591554d7406107df87b3dc21bda059df0bc66244e8abef6a5678af35
17879ed48c2a2e324d4f5175112f51b75f4a8ab100b8833c82e6ddb7cd817f20
42f05f5d4a2617b7ae0bc601dd6c053bf974f9a337a8fcc51f9338b108811b78
882019d1024778e13841db975d5e60aaae1482fcf86ba669e819a68ce980d7d3
e28188e516db1bda9015c30de59a2e91996b67c2e2b44989a6b0f562577fd757
0a8297b274aeab986d6336b395b39b3af1bb00464cf5735d1ecdb506fef9098e
69192821f8ce4561cf9c9cb494a133584179116cb2e7409bea3e18901a1ca944
3337a7a9ccdd06acdd6e3cf4af40d871172d0a0e96fc48787b574ac93689622a
17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90
B32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9

MALICIOUS FILES (SHA-1)

497013697aba845b400d23bd774cf2ad09f4dae5
0110e12ae768872ea5c1b194dba50cbf74ec4d84
1e2736ff9fdb9aff7f825c7f101dba35b6c4158c
1f439569e3c1c14ea9f02235f8f45c49e2764160
2084ae47dcdda6161c8697e995512448facba37c
25ce6c74a6f39289717522cad5eacdf5b9f4bae8
ec944a8daaa706ff5557d7fedd17bc6ba21bf96d
e1caf6484d899e7bb4d0c72e8bea8ff718ff073a
ddd40fb7335abc4ef736ecc12a909c6329783a05
d32e44f7e04a8c84e7159ed020dcf26b6e51416e
ce77bd3224f47ae4b8a04bd4b4be91c3550de294
c69ffb5061ec42c876531f153c5b94302d6d9daf
c419ed515b5267bb39870bdedcdd8dd8b172574c
bd0bf9c987288ca434221d7d81c54a47e913600a
ad0e80af469165da713467b13d9a2500ee340427
aa54013aeb502b4a936331deb76a6411f1f1ade7
a977631006818fc5717b9fbce0609c58080a8ab2
a1a698a0bdda712905950ba6414bb1fcabdd8e84
92408a8233567f8b10f30f83dfcdd98effe96dca
919c33adb648ce13ee8bd7c11bffbfd836936c00
8ccac360e2ca37b2fa9f5fa81b22114fb8936120
8bf65a11e42b5850e1a5f28513dae1ffc168730e
82f88c1af036181ee4e92a2f9338c152d1ff0c58
7a33162908cba6678dc75d688da1f86b54849782
796531afd0e828f451786c485f95c4c04084f461
79054b409cb1c7a36aafd9a9915f948e2f018734
757932f6038b71c5dbc380a2f28b077b41fbce9b
7131a6f16aa8534a9cec7e11e37423aea4c09784
6c90b89aad04f38c584fcee1d47fed9cd79f8ef1
591d363928f0d5f4629196d60fd899469267da09
5644a0282ac420c46d3b43fbb409eb9f7842b3af
530f9163be551b7488650542de31cdfd11307d63
4da6fef533b37a12ed1e357df66802de29c1ab5c
47dacafb5dace4c5fea931e9a7392f76fdde3e98
46257982840493eca90e051ff1749e7040895584
328a8793323f11c1d0c5f3ddedf4ae10caafb063
25ce6c74a6f39289717522cad5eacdf5b9f4bae8
2084ae47dcdda6161c8697e995512448facba37c
1f439569e3c1c14ea9f02235f8f45c49e2764160
1e2736ff9fdb9aff7f825c7f101dba35b6c4158c
0110e12ae768872ea5c1b194dba50cbf74ec4d84
497013697aba845b400d23bd774cf2ad09f4dae5

IP ADDRESS

66.249.66[.]18
95.181.173[.]227
207.126.152[.]242
72.14.196[.]50
72.14.196[.]192
72.14.196[.]2
72.14.196[.]226
46.161.27[.]151
185.219.221[.]136
64.176.219[.]106
5.78.115[.]67
46.8.16[.]77
185.7.214[.]79
185.220.100[.]240
107.189.30[.]69
5.183.130[.]92
185.220.101[.]149
188.130.218[.]39
188.130.137[.]181
46.8.10[.]134
155.138.246[.]122
80.239.207[.]200
183.181.86[.]147
34.149.120[.]3
104.21.40[.]72
34.250.161[.]149
88.198.198[.]90
151.101.130[.]159
35.244.153[.]44
35.212.86[.]55
34.251.163[.]236
34.160.81[.]203
34.149.36[.]179
104.21.26[.]145
83.243.40[.]10
35.227.194[.]51
35.190.31[.]54
34.120.190[.]48
116.203.186[.]178
34.160.17[.]71
170.130.165[.]73
45.11.181[.]44
66.42.118[.]54
79.132.130[.]211

FILE INDICATOR

C:\Users\Public\Audio\Jun.exe
C:\Users\Public\Audio\esx.zip
C:\Users\Public\Audio\7zG.exe
C:\Users\Public\Audio\7z.dll
C:\Users\Public\db_Usr.sql
C:\Users\Public\Audio\db_Usr.sql
C:\Users\Public\Audio\hv2.ps1
C:\Users\Public\7zG.exe
C:\Users\Public\7z.dll
C:\Users\Public\BitLogic.dll
C:\Users\Public\NetApp.exe
C:\Users\Public\DataSoft.exe
C:\Users\Public\BitData.exe
C:\Users\Public\DigitalText.dll
C:\Users\Public\GeniusMesh.exe
\Device\Mup\{redacted}\C$\Users\Public\Music\PROCEXP.sys
\Device\Mup\{redacted}\C$\Users\Public\Music\DumpNParse86.exe
\Device\Mup\{redacted}\C$\Users\Public\Music\POSTDump.exe
\Device\Mup\{redacted}\C$\Users\Public\Music\DumpNParse.exe
C:\Users\Public\socksps.ps1
C:\Users\Public\Thief.exe
C:\Users\All Users\{redacted}\GWT.ps1
C:\Program Files\MonitorIT\GWT.ps1
Winx86.exe (Comment: alias for cmd.exe)
C:\Users\Public\eucr.exe
C:\Windows\DS_c1.dll
*\instructions_read_me.txt

AFFILIATED DOMAINS & URLs

trailshop[.]net
realbumblebee[.]net
recentbee[.]net
investrealtydom[.]net
webnubee[.]com
artspathgroup[.]net
buyblocknow[.]com
currentbee[.]net
modernbeem[.]net
startupbusiness24[.]net
magentoengineers[.]com
childrensdolls[.]com
myfinancialexperts[.]com
limitedtoday[.]com
kekeoamigo[.]com
nebraska-lawyers[.]com
tomlawcenter[.]com
thesmartcloudusa[.]com
rasapool[.]net
artspathgroupe[.]net
specialdrills[.]com
thetrailbig[.]net
consulheartinc[.]com
otxcosmeticscare[.]com
otxcarecosmetics[.]com
artstrailman[.]com
ontexcare[.]com
trackgroup[.]net
businessprofessionalllc[.]com
securecloudmanage[.]com
oneblackwood[.]com
buygreenstudio[.]com
startupbuss[.]com
onedogsclub[.]com
wipresolutions[.]com
recentbeelive[.]com
trailcocompany[.]com
trailcosolutions[.]com
artstrailreviews[.]com
usaglobalnews[.]com
topglobaltv[.]com
startupmartec[.]net
technologgies[.]com
jenshol[.]com
simorten[.]com
investmentgblog[.]net
protectionek[.]com
Moereng[.]com
Exckicks[.]com

Suspected Black Basta Domain:

airbusco[.]net
allcompanycenter[.]com
animalsfast[.]net
audsystemecll[.]net
auuditoe[.]com
bluenetworking[.]net
brendonline[.]com
businesforhome[.]com
caspercan[.]com
clearsystemwo[.]net
cloudworldst[.]net
constrtionfirst[.]com
erihudeg[.]com
garbagemoval[.]com
gartenlofti[.]com
getfnewsolutions[.]com
getfnewssolutions[.]com
investmendvisor[.]net
investmentrealtyhp[.]net
ionoslaba[.]com
jessvisser[.]com
karmafisker[.]com
kolinileas[.]com
maluisepaul[.]com
masterunix[.]net
monitor-websystem[.]net
monitorsystem[.]net
mytrailinvest[.]net
prettyanimals[.]net
reelsysmoona[.]net
seohomee[.]com
septcntr[.]com
softradar[.]net
startupbizaud[.]net
startuptechnologyw[.]net
steamteamdev[.]net
stockinvestlab[.]net
taskthebox[.]net
trailgroupl[.]net
treeauwin[.]net
unitedfrom[.]com
unougn[.]com
wardeli[.]com
welausystem[.]net
wellsystemte[.]net
withclier[.]com

UPDATE (FEBRUARY 24TH 2025)

IP Address:

109.107.182[.]11 (Server IP with root access)
109.107.182[.]12 (Server IP with root access)
109.107.182[.]13 (Server IP with root access)
109.107.182[.]14 (Server IP with root access)
109.107.182[.]15 (Server IP with root access)
109.107.182[.]16 (Server IP with root access)
109.107.182[.]17 (Server IP with root access)
109.107.182[.]18 (Server IP with root access)
109.107.182[.]19 (Server IP with root access)
95.216.29[.]185 (False IP, VPS IP)
80.190.144[.]76 (Germany – Linked to botnet activity)
5.8.18[.]20 (SSH access, VPN usage)
www.dandh[.]com (Access IP related to Cisco VPN)

Hash Values (SHA-256):

c5793613219a782eb08205921a3f9ed97c2c74de18e0cd36008046d1a5e1288e (Remcos RAT)
0fd52ebb37e4e5c41756133e47215547478097f9a6ff170cc442cb21276e3f36 (Remcos RAT)
6a5702c106666c1b89bcb12a450d393e6506fa387865328d06e1e230d4782548 (Remcos RAT)
50d414576bf441cca754e6e3b96dabdf35fed443ecb98f865dc89e623bc2f0e9 (Agent Tesla)
e19dfc72ad2eea815ef6b4eb9b812471b3bb3cf40333d97e3c552c87db86e65a (Formbook)
47480cd2666b1a60419731fe9795afb8a9a386079118c6a2509da375ad5aa19d (Formbook)
8589fd14aab509787fcfef35543a634aea6db383ff617176a35a7cede8c38031 (Malicious file)

Hash Values (SHA-1):

aa644941c54bf7e76ff20ba6fc208c176ed865a0 (Remcos RAT)
ba1a39bcedd7ddc7f069e96e220035d5c4844d32 (Remcos RAT)
2bbc7301056a3479106c53e0f131cfda6836bd23 (Remcos RAT)
5a59f2ef0e4b7adbc0780748063d5cee64f8a1a6 (Agent Tesla)
78227f3a159478bd377add728d206675aa3963a6 (Formbook)
5e75c057e25c43d0cf003088abc1c3468f917867 (Formbook)
F30fe1945291dd09770a0886c0f984e0d7e44850 (Malicious file)

Malicious Files:

CVE-2022-27925-zimbra_Revshell.zip (Zimbra Exploit)
rundll32.exe dll.dll,Enter (Malicious DLL execution method)
drs1312_signed.zip (Possible malware)
e6393196-f020-4c2f-88fc-45ff7e22794f_encrypt_release_allsystem_x64.zip

(Encryption tool, potentially related to ransomware)

The following is a list of IOCs mentioned in the leaked internal chat of the threat actor Black Basta Ransomware. It should be noted that the level of confidence regarding the potential danger of these IOCs is still low:

IP Address:
109.107.182[.]10 (Server IP with root access)
13.57.243[.]97 (Used for Shell, SOCKS, and FTP services)
131.228.32[.]204:443 (Target IP ports)
131.228.32[.]204:443 (Target IP ports)
8.39.107[.]12:443 (Target IP ports)
199.33.86[.]13:443 (Target IP ports)
80.169.86[.]90:443 (Target IP ports)
213.242.92.6:443 (Target IP ports)
138.99.0.106:443 (Target IP ports)
212.123.201.244:443 (Target IP ports)
198.11.114[.]20:443 (Target IP ports)
212.84.43[.]187:443 (Target IP ports)
180.178.67[.]130:443 (Target IP ports)
208.87.12[.]200:443 (Target IP ports)
103.117.255[.]8:443 (Target IP ports)
208.87.14.110:443 (Target IP ports)
208.87.12.10:443 (Target IP ports)
216.245.80.8:443 (Target IP ports)
203.206.180[.]163:443 (Target IP ports)
69.26.105.196:443 (Target IP ports)
164.47.3.5:443 (Target IP ports)
52.202.132.150:443 (Target IP ports)

Domains:
bestflowers247[.]online (Primary communication infrastructure)
innophos[.]com (Attempted attack on company infrastructure)
russellco.vdi[.]zone (Targets within systems)
sheeheyvt[.]local (Targets within systems)
vdi.bargatemurray[.]com (Botnet connections)

Note: We recommend that organizations continue to block the IOCs above if they are not related to daily operational processes, even if the IOCs have a lower confidence level. This is because these IOCs still have a chance of being malicious.

Chapter 5: Recommendations and Mitigations Strategies

COMBATTING CVE-2020-1472

Implement Security Patch

Organizations are expected to implement the security patch for all the affected system to at least the fixed version that resolves the CVE-2020-1472 listed below:

● Windows Server, version 20H2 (Server Core Installation) at least KB4601319
● Windows Server 2012 R2 (Server Core installation) at least KB4601384
● Windows Server 2012 R2 (Server Core installation) at least KB4601349
● Windows Server 2012 R2 at least KB4601384
● Windows Server 2012 R2 at least KB4601349
● Windows Server 2012 (Server Core installation) at least KB4601348
● Windows Server 2012 (Server Core installation) at least KB4601357
● Windows Server 2012 at least KB4601348
● Windows Server 2012 at least KB4601357
● Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) at least KB4601347
● Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) at least KB4601363
● Windows Server 2008 R2 for x64-based Systems Service Pack 1 at least KB4601347
● Windows Server 2008 R2 for x64-based Systems Service Pack 1 at least KB4601363
● Windows Server 2016 (Server Core installation) at least KB4601318
● Windows Server 2016 at least KB4601318
● Windows Server, version 1903 (Server Core installation) at least KB4565351
● Windows Server, version 1909 (Server Core installation) at least KB4601315
● Windows Server 2019 (Server Core installation) at least KB4601345
● Windows Server 2019 at least KB4601345
● Windows Server, version 2004 (Server Core installation) at least KB4601319

Note: Although the updated versions have addressed the ZeroLogon vulnerability (CVE-2020-1472), we still recommend that organizations continuously update to the latest version to stay protected against new vulnerabilities.

Enable Enforcement Mode

After applying the patch, identify devices within the organization that are making vulnerable connections by monitoring event logs. Then, address non-compliant devices making these vulnerable connections, then configure the domain controller to accept only secure Netlogon connections, ensuring that only properly authenticated Netlogon sessions are allowed.

Enable enforcement mode using the following command:

Set-ItemProperty -Path

“HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters” -Name”FullSecureChannelProtection” -Value 1 -Type DWord

For more details on enabling enforcement mode, visit:

https://msrc.microsoft.com/blog/2020/10/attacks-exploiting-netlogon-vulnerability-cve-2020-1472/

COMBATTING CVE-2021-42278

Patch Management

Immediately implement the fixed version of Windows Server that Microsoft has patched as listed below:

● Windows Server 2012 R2 (Server Core installation) KB5007247

● Windows Server 2012 R2 (Server Core installation) KB5007255

● Windows Server 2012 R2 KB5007247

● Windows Server 2012 R2 KB5007255

● Windows Server 2012 (Server Core installation) KB5007260

● Windows Server 2012 (Server Core installation) KB5007245

● Windows Server 2012 KB5007260

● Windows Server 2012 KB5007245

● Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) KB5007236

● Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) KB5007233

● Windows Server 2008 R2 for x64-based Systems Service Pack 1 KB5007236

● Windows Server 2008 R2 for x64-based Systems Service Pack 1 KB5007233

● Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) KB5007263

● Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) KB5007246

● Windows Server 2008 for x64-based Systems Service Pack 2 KB5007263

● Windows Server 2008 for x64-based Systems Service Pack 2 KB5007246

● Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) KB5007263

● Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) KB5007246

● Windows Server 2008 for 32-bit Systems Service Pack 2 KB5007263

● Windows Server 2008 for 32-bit Systems Service Pack 2 KB5007246

● Windows Server 2016 (Server Core installation) KB5007192

● Windows Server 2016 KB5007192

● Windows Server, version 20H2 (Server Core Installation) KB5007186

● Windows Server, version 2004 (Server Core installation) KB5007186

● Windows Server 2022 (Server Core installation) KB5007205

● Windows Server 2022 KB5007205

● Windows Server 2019 (Server Core installation) KB5007206

● Windows Server 2019 KB5007206

Note: Although the updated versions have addressed the CVE-2021-42278 vulnerability we still recommend that organizations continuously update to the latest version to stay protected against new vulnerabilities.

COMBATTING CVE-2021-42287