Today > | 2 Medium vulnerabilities   -   You can now download lists of IOCs here!

Black Basta Ransomware Campaign Drops Zbot, DarkGate, and Custom Malware

Dec. 11, 2024, 5:09 p.m.

Tags
ransomware
darkgate
2024-12-09
blackbasta
zbot
External References
Description

A resurgence of activity related to the Black Basta ransomware campaign has been observed since early October. The threat actors have refined their tactics, introducing new malware payloads, improved delivery methods, and enhanced defense evasion techniques. The attacks begin with email bombing of target users, followed by social engineering attempts via Microsoft Teams. Operators impersonate IT staff and trick users into installing remote management tools. Once access is gained, they deploy credential harvesters, Zbot, DarkGate, and custom malware. The campaign has been linked to Black Basta ransomware deployments in the past, highlighting its serious nature. The attackers continue to update their strategies and tools rapidly, demonstrating sophisticated and persistent threat behavior.

Date

Published: Dec. 9, 2024, 10:32 p.m.

Created: Dec. 9, 2024, 10:32 p.m.

Modified: Dec. 11, 2024, 5:09 p.m.

Indicators

fb444e7bb7c8f48207ceeba8bad9c2b9ae9c726ac28916c5be5390ba67c2c77c

ef28a572cda7319047fbc918d60f71c124a038cd18a02000c7ab413677c5c161

ee79f4e87e0b393c952b478c9a30f35802c09f93e899ecf6b40d8d6625188031

ec669387150865b59bbf98b41a770235ba4fd632aab33433c2d493460ef52479

ebbe6a9e1188e2ee1651b5c68b6b508fb52b9e8896dbbeb0f4e126961ba94982

c69ab262ac3f73277c4b9a777a408f57feb618e2e00bc2e66e8d97274083c742

d90afa08e38c15bb3e48187e436645b42d4d856e219242cb6c33085c4c1611db

c675130390b4ee16ea72dea30807939b1306d373c5b7ffe0cf1d2afaffc402b6

c50271cc3e26651a5b5384894490c7153c56b86435e61b5ca206f8e9c5c5542f

c4942f989530f09b499978721d282998eaa77be31a4361ac6250f1df721decb9

9a21ec5a25dfe7ca51d4a843a96bfb6e650dc999d3b6d4bd771571359b3bea0a

95a6c06ac691bec0ac2140b6590c96488feb8bc6c3ca501d1fe8ee7cbf9d0f8b

97daf5e1b2519a655397173fb5af346f9435fb4acf097d10ad4ffde464d21c09

729f08249b9f55f17fe7762d6c41c619127e0a7798194b7ff18f06003ff3d041

71e08a89ecdfac3bb490bec6c4115cfd71de744897fd8b7dd7383646e911858e

717aed4c123a3cde0695818f7038c1092d9dcd7c910ac5ddba96d5e348e1337f

67c8bc21bbdcc59f7fd2b0a6f0f6c98f0076a0142e94cb3f158155e0ca9ac71a

5e9fbae0b94f6e36717bbd2c997981ba438d7efd800e76924f73452a69c04051

5fef7a5db4b1c216c9fc37d55143e5b635e8833d82f95004bb4fb47060fdf447

57d8296dd901491d37e7c79d0fe95188f3b7c94affc71c8e732daea8369cfa4f

4f30d975121d44705a79c4f5c8aeba80d8c97c8ef10c86fee011b99f12b173b4

474ba7f2fb18b7b55fc077513cda6f6d36fb79e58065c556724ea049a392e327

42ffc3eb728ccc83cf4f115c6a3e32c01ef80869b9f2c4f2d62a7a88c7bf4bc2

3b7e06f1ccaa207dc331afd6f91e284fec4b826c3c427dffd0432fdc48d55176

38ee04ee9d3b3912013d54483d8f822eebd0367408b369bc09f46cb339a54313

2f5301125627331f56db76046d177493d8b0a814cdd9cafad3981aad97383163

2a8a49d9c25d786a5108a53d0b3281677b299540f54580a7b49aa8de78ec0ee1

1896ab744e436ca52a1c6c64a4608dbb8e5597e35d13be1f3c56bc65eb44e532

1656c55c8516bd650fe59b71a5886ecf508deb927ed3c8465cf0ad5923c35958

14aad4fcc77e5fd7e7782c9c5714d1a4187e60e75a765b71d5d41b920bbae31a

146494eb276fc4539bffa6896b958e29a417a5959a5c10d100caf48514b66864

0482dc9c6ed46e247682e1d4ae5c5a037ef0b66f3b22af9ae25ac072028dd7a2

db34e255aa4d9f4e54461571469b9dd53e49feed3d238b6cfb49082de0afb1e4

a9f2c4bc268765fc6d72d8e00363d2440cf1dcbd1ef7ee08978959fc118922c9

49405370a33abbf131c5d550cebe00780cc3fd3cbe888220686582ae88f16af7

22c5858ff8c7815c34b4386c3b4c83f2b8bb23502d153f5d8fb9f55bd784e764

93.185.159.253

91.212.166.91

8.211.34.166

8.209.111.227

66.78.40.86

46.8.236.61

46.8.232.106

212.232.22.140

193.29.13.60

185.238.169.17

185.229.66.224

184.174.97.32

147.28.163.206

145.223.116.66

109.172.88.38

109.172.87.135

94.103.85.114

88.214.25.32

65.87.7.151

188.130.206.243

185.130.47.96

179.60.149.194

172.81.60.122

45.61.152.154

doc2.docu-duplicator.com

doc1.docu-duplicator.com

doc.docu-duplicator.com

dns.winsdesignater.com

summerrain.cloud

posetoposeschool.com

mailh.org

dropmeafile.com

crystallakehotels.com

brownswer.com

blazingradiancesolar.com

bigdealcenter.world

Download all indicators here!

Attack Patterns

TinyZBot - S0004

DarkGate - S1111

Black Basta - S1070

BlackBasta

T1566.003

T1021.001

T1490

T1204.001

T1566.002

T1204.002

T1005

T1489

T1486

T1566.001

T1083

T1204

T1566

T1078