"Black Basta Ransomware Gang Linked to the FIN7 Hacking Group"

Sentinel Labs security researchers discovered evidence linking the Black Basta ransomware gang to the financially motivated hacking group FIN7, also known as "Carbanak." The analysis of tools used in attacks revealed signs that a FIN7 developer also authored the Endpoint Detection and Response (EDR) evasion tools used exclusively by Black Basta since June 2022. Sentinel Labs discovered an executable that displays a fake Windows Security GUI and tray icon, giving users the impression that Windows Defender is functioning normally. However, the malware disables Windows Defender, EDR, and antivirus tools in the background, ensuring that nothing interferes with the data exfiltration and encryption process. More samples linked to that tool were retrieved, and one was found packed with an unknown packer identified as 'SocksBot,' a backdoor that FIN7 has been using and developing since at least 2018. Furthermore, the backdoor connects to a command-and-control (C2) IP address belonging to "pq.hosting," a bulletproof hosting provider trusted and regularly used FIN7. They believe that the threat actor who created the impairment tool used by Black Basta is the same actor who has access to the packer source code used in FIN7 operations, establishing a possible link between the two groups for the first time. This article continues to discuss the evidence linking the Black Basta ransomware gang to the FIN7 hacking group.

Bleeping Computer reports "Black Basta Ransomware Gang Linked to the FIN7 Hacking Group"