Black Basta Uses Qakbot, Brute Ratel in Ransomware Attacks

Researchers said the attack kill chain is the first time they observed Brute Ratel being used as a second-stage payload via a Qakbot infection.

The threat actors behind the Black Basta ransomware were observed using the Qakbot malware in order to deploy the Brute Ratel framework as a second-stage payload in recent attacks.

Brute Ratel, commercial adversary emulation software, is a relatively new player similar to the Sliver and Cobalt Strike platforms, which are marketed to red teams but also utilized by a wide range of threat actors. The recent Qakbot campaign is “a noteworthy development because it is the first time we have observed Brute Ratel as a second-stage payload via a QAKBOT infection,” said Ian Kenefick, Lucas Silva and Nicole Hernandez, researchers with Trend Micro, in an analysis this week.

“Based on our investigations, we can confirm that the QAKBOT-to-Brute Ratel-to-Cobalt Strike kill chain is associated with the group behind the Black Basta Ransomware,” they said. “This is based on overlapping TTPs and infrastructure observed in Black Basta attacks.”

The attackers used various methods of infection with two distributors (labeled with the ‘BB’ and ‘Obama20x’ IDs), in one case launching the campaign via spam emails with a malicious URL, which when visited presented victims with a password-protected ZIP file along with the password to use, and in another delivering the ZIP file via HTML smuggling (where malicious script is encoded into an HTML attachment or web page).

In both campaigns, the ZIP file contained an ISO file (in a likely attempt to defeat the Mark of the Web feature that categorizes files as being downloaded from the internet), which contained malicious files that set the stage for Qakbot to be run inside an injected process (wermgr.exe). Qakbot then used obfuscation to hide suspicious-looking command lines and performed reconnaissance on the infected environment.

From there, Qabot dropped the Brute Ratel DLL, which in turn dropped Cobalt Strike for lateral movement. Brute Ratel also ran the SharpHound utility, which collects data for the BloodHound Active Directory reconnaissance tool, and packed collected files into a ZIP file for exfiltration.

Brute Ratel, which first emerged in December 2020, has been highlighted by researchers as sophisticated as it was designed to generate shellcode that is undetectable by endpoint detection response and antivirus tools. In September, Brute Ratel was cracked and shared for free on underground forums, making the tool more accessible to threat actors.

“As a result of its popularity compared to Brute Ratel, [Cobalt Strike’s] detection coverage is greater than that of the latter,” said researchers. “This makes Brute Ratel and other less established C&C frameworks an increasingly more attractive option for malicious actors, whose activities may remain undetected for a longer period.”

While the threat actors were evicted from the environment before any final actions could be taken, researchers “assess based on the level of access and discovery activity that the likely final actions would have been a domain-wide ransom deployment.”

Following a brief hiatus, Qakbot’s malware activity resumed on Sept. 8 with researchers finding several distribution methods, including SmokeLoader, Emotet, as well as the more recent ‘BB’ and ‘Obama20x’ distributors. Qakbot has seen growing popularity among a variety of threat groups that either use the malware itself or any of its second-stage payloads. Previously, attackers also used hijacked email threads, harvested in bulk from previous Microsoft ProxyLogon attacks, in order to send messages to victims that delivered the Qakbot malware earlier this year.