Black Basta Ransomware Group Affiliates Leveraging Windows Quick Assist for Initial Access

Share :

Since April 2024, Arctic Wolf has been tracking an ongoing campaign by Black Basta ransomware group affiliates leveraging Microsoft’s Quick Assist for initial access. The Black Basta affiliates have been conducting vishing (voice phishing) attacks by impersonating IT or help desk personnel, claiming they need to fix an issue on the victim’s device. In other instances, the threat actors leverage an email bomb attack to flood the victim’s mailbox with emails from subscription services. They then call the victim, impersonating IT support, and offer assistance in resolving the issue. In both scenarios, the threat actors persuade the victim to provide access through Quick Assist by entering a security code and granting permissions to control their device. 

Once given remote access, the threat actors execute scripts with cURL commands to download batch or ZIP files, delivering malicious payloads such as Qakbot, ScreenConnect, NetSupport Manager, and Cobalt Strike. Establishing persistence with these tools, the threat actors proceed with the attack chain, including domain enumeration, lateral movement, and using PsExec to deploy Black Basta ransomware throughout the environment. 

Additional Initial Access Tactic: Microsoft Teams

On 12 June 2024, Microsoft revealed that in late May, Black Basta affiliates were observed using Microsoft Teams to reach target users. The threat actors used Teams to send messages and make calls, pretending to be IT or help desk staff. This tactic results in the misuse of Quick Assist, credential theft through EvilProxy, execution of batch scripts, and deployment of SystemBC for maintaining persistence and controlling compromised systems. Given Microsoft Teams’ widespread adoption in enterprise systems globally, this new attack vector observed in this campaign poses a significant risk to organisations. 

Detections for Campaign TTPs

Arctic Wolf has multiple detections in place that identify many of the Tactics, Techniques, and Procedures (TTPs) currently utilised in this campaign by the threat actors. These include detections for email bombing, remote access software, and tools for ingress. 

Additionally, Arctic Wolf has agent-based detections in place for relevant tooling across several other TTPs including credential access, discovery, and reconnaissance that have been observed to be associated with Black Basta connected activity in the past.  

Customers can expect tickets from the Arctic Wolf SOC for any malicious activity detected surrounding the campaign TTPs.

Recommendations 

Recommendation #1: Uninstall Quick Assist and/or Other RMM Tools if Not Utilised in Your Environment

If your organisation does not utilise Quick Assist and/or any other remote support tools, Arctic Wolf strongly recommends disable or uninstall them. This prevents external threat actors from exploiting these tools to gain unauthorised access to your devices. 

  • Disabling Quick Assist 
  • Uninstalling Quick Assist 
  • Uninstall via powershell – Run the following PowerShell command as Administrator: 
  • Get-AppxPackage -Name MicrosoftCorporationII.QuickAssist | Remove-AppxPackage -AllUsers 
  • Uninstall via Windows Settings 
  • Navigate to Settings > Apps > Installed apps > Quick Assist > select the ellipsis (…), then select Uninstall. 

Additionally, consider implementing policies to block the installation and use of Quick Assist and other RMM tools unless they have been explicitly approved for use within your environment. This approach helps ensure that only vetted and secure tools are in operation, further safeguarding your systems. 

Recommendation #2: Implement Comprehensive Security Awareness Training

Black Basta affiliates have successfully socially engineered victims through calls and emails during this ongoing campaign. Arctic Wolf strongly recommends implementing comprehensive security awareness training campaigns. These initiatives are designed to equip users with the skills needed to quickly identify and report suspicious activities, including observed tech support scams in this campaign. 

Arctic Wolf has several vishing modules within our Managed Security Awareness (MSA) product that will help users identify the suspicious activity outlined in this bulletin. 

Recommendation #3: Microsoft Teams Attack Vector Safeguards

Microsoft has provided the following mitigations to protect against attacks leveraging Microsoft Teams: 

  • Educate Microsoft Teams users to check for the ‘External’ tag on communications from external sources, exercise caution in sharing information, and avoid sharing account details or approving sign-in requests via chat. 

References

Rapid7 Campaign Observations 

Microsoft Campaign Observations

ReliaQuest Campaign Observations

Microsoft Teams Best Practices

Arctic Wolf Managed Security Awareness

Picture of Andres Ramos

Andres Ramos

Andres Ramos is a Threat Intelligence Researcher at Arctic Wolf with a strong background in tracking emerging threats and producing actionable intelligence for both technical and non-technical stakeholders. He has a diverse background encompassing various domains of cyber security, holds a degree in Cybersecurity Engineering, and is a CISSP.
Share :
Table of Contents
Categories