"QBot Now Distributes Black Basta Ransomware During Bot-Powered Attacks"

The Black Basta ransomware group is working with the QBot malware operation to spread laterally through compromised business systems. QBot, also known as QuakBot, is a Windows malware capable of stealing bank and domain passwords and distributing other malware payloads to infected systems. The most prevalent way for victims to become infected with QBot is through phishing attempts using malicious attachments. Despite its origins as a banking Trojan, it has worked with a number of other ransomware gangs, including MegaCortex, ProLock, DoppelPaymer, and Egregor. Black Basta is a relatively new ransomware operation that has made a solid start by compromising many businesses in a short amount of time while demanding large ransom payments. During the most recent incident response, analysts from the NCC Group discovered the new alliance between QBot and Black Basta and were able to determine the threat actor's actions. While most ransomware gangs utilize QBot to get initial access, the Black Basta gang exploited it to spread laterally throughout the network. The malware installs a temporary service on the target host and configures it to run its DLL using regsvr32.exe. When activated, QBot can infect network shares and disks, brute-force AD accounts, or spread via default admin shares using current user credentials through the SMB (Server Message Block) file-sharing protocol. This article continues to discuss findings surrounding the Black Basta ransomware gang's partnership with the QBot malware operation.

CyberIntelMag reports "QBot Now Distributes Black Basta Ransomware During Bot-Powered Attacks"