Fake Zoom Ends in BlackSuit Ransomware

March 31, 2025, 3:56 p.m.

Description

A malicious website mimicking Zoom led to the installation of a trojanized installer, initiating a multi-stage attack. The initial payload, d3f@ckloader, downloaded additional components, including SectopRAT. After nine days, the threat actor deployed Brute Ratel and Cobalt Strike beacons for lateral movement. They used various techniques for discovery and credential access, including LSASS memory dumping. The attacker employed QDoor for proxying RDP connections, facilitating data collection and exfiltration via the cloud service Bublup. The intrusion culminated in the deployment of BlackSuit ransomware across multiple systems using PsExec, with a total time to ransomware of 194 hours over nine days.

External References

https://thedfirreport.com/2025/03/31/fake-zoom-ends-in-blacksuit-ransomware/
https://otx.alienvault.com/pulse/67ea2ad332f874a45a095bed
Tags
ransomware
cobalt strike
exfiltration
lateral movement
proxy
blacksuit
sectoprat
brute ratel
2025-03-31
d3f@ckloader
qdoor

Date

  • Created: March 31, 2025, 5:40 a.m.
  • Published: March 31, 2025, 5:40 a.m.
  • Modified: March 31, 2025, 3:56 p.m.

Attack Patterns

  • d3f@ckloader
  • QDoor
  • Brute Ratel
  • SectopRAT
  • BlackSuit
  • Cobalt Strike - S0154