Threat actors misusing Quick Assist in social engineering attacks leading to ransomware

May 16, 2024, 10:01 a.m.

Description

The report describes a recent campaign by the threat actor Storm-1811, a financially motivated cybercriminal group known for deploying Black Basta ransomware. The campaign begins with social engineering tactics like voice phishing (vishing) and email bombing to trick users into granting remote access to their devices through the Windows Quick Assist feature. Once access is gained, the attackers deploy malware like Qakbot, remote monitoring tools like ScreenConnect and NetSupport Manager, and Cobalt Strike beacons, ultimately leading to the deployment of Black Basta ransomware on compromised systems.

External References

https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/
https://otx.alienvault.com/pulse/6645d1837847af1d2ed109c1
Tags
malware
ransomware
qakbot
qbot
quackbot
pinkslipbot
2024-05-16
2024-05-11
black basta
remote-access
vishing
social-engineering

Date

  • Created: May 16, 2024, 9:27 a.m.
  • Published: May 16, 2024, 9:27 a.m.
  • Modified: May 16, 2024, 10:01 a.m.

Indicators

  • 71d50b74f81d27feefbc2bc0f631b0ed7fcdf88b1abbd6d104e66638993786f8
  • 93058bd5fe5f046e298e1d3655274ae4c08f07a8b6876e61629ae4a0b510a2f7
  • 1cb1864314262e71de1565e198193877ef83e98823a7da81eb3d59894b5a4cfb
  • 1ad05a4a849d7ed09e2efb38f5424523651baf3326b5f95e05f6726f564ccc30
  • 0f9156f91c387e7781603ed716dcdc3f5342ece96e155115708b1662b0f9b4d0
  • zziveastnews.com
  • upd9.com
  • upd7a.com
  • upd7.com
  • realsepnews.com
  • upd5.pro
  • greekpool.com
Download all indicators here!

Attack Patterns

  • Black Basta - S1070
  • QuackBot
  • Pinkslipbot
  • QakBot - S0650
  • QBot
  • Storm-1811
  • T1218.005
  • T1053.005
  • T1059.003
  • T1059.001
  • T1059.007
  • T1071.001
  • T1486
  • T1057
  • T1105
  • T1566.001
  • T1133
  • T1059