Mounting ransomware crackdown efforts, including one that impacted its previous partner QBot, have prompted the Black Basta ransomware operation, also known as UNC4393, to leverage new custom malware and novel techniques on top of zero-day vulnerabilities to enable network compromise without being detected by security systems, BleepingComputer reports.
While Black Basta has primarily leveraged DarkGate malware in its attacks following the disruption of the QBot malware late last year, the ransomware gang transitioned to SilentNight malware distribution for initial network access in attacks months later, with network foothold ensured by the deployment of the DawnCry memory-only dropper with the DaveShell loader that delivers the PortYard tunneler, according to an analysis from Mandiant. Aside from featuring living off the land binaries, recent attacks by the ransomware gang also involved the CogScan .NET reconnaissance tool, the SystemBC tunneler, the KnowTrap memory-only dropper, and the KnockTrock .NET-based utility that facilitates BASTA ransomware executable injections.
