Fake Zoom Ends in BlackSuit Ransomware
March 31, 2025, 3:56 p.m.
Description
A malicious website mimicking Zoom led to the installation of a trojanized installer, initiating a multi-stage attack. The initial payload, d3f@ckloader, downloaded additional components, including SectopRAT. After nine days, the threat actor deployed Brute Ratel and Cobalt Strike beacons for lateral movement. They used various techniques for discovery and credential access, including LSASS memory dumping. The attacker employed QDoor for proxying RDP connections, facilitating data collection and exfiltration via the cloud service Bublup. The intrusion culminated in the deployment of BlackSuit ransomware across multiple systems using PsExec, with a total time to ransomware of 194 hours over nine days.
Tags
Date
- Created: March 31, 2025, 5:40 a.m.
- Published: March 31, 2025, 5:40 a.m.
- Modified: March 31, 2025, 3:56 p.m.
Attack Patterns
- d3f@ckloader
- QDoor
- Brute Ratel
- SectopRAT
- BlackSuit
- Cobalt Strike - S0154