Today > 1 Critical | 6 High | 24 Medium vulnerabilities   -   You can now download lists of IOCs here!

Threat actors misusing Quick Assist in social engineering attacks leading to ransomware

May 16, 2024, 10:01 a.m.

Description

The report describes a recent campaign by the threat actor Storm-1811, a financially motivated cybercriminal group known for deploying Black Basta ransomware. The campaign begins with social engineering tactics like voice phishing (vishing) and email bombing to trick users into granting remote access to their devices through the Windows Quick Assist feature. Once access is gained, the attackers deploy malware like Qakbot, remote monitoring tools like ScreenConnect and NetSupport Manager, and Cobalt Strike beacons, ultimately leading to the deployment of Black Basta ransomware on compromised systems.

Date

Published: May 16, 2024, 9:27 a.m.

Created: May 16, 2024, 9:27 a.m.

Modified: May 16, 2024, 10:01 a.m.

Indicators

71d50b74f81d27feefbc2bc0f631b0ed7fcdf88b1abbd6d104e66638993786f8

93058bd5fe5f046e298e1d3655274ae4c08f07a8b6876e61629ae4a0b510a2f7

1cb1864314262e71de1565e198193877ef83e98823a7da81eb3d59894b5a4cfb

1ad05a4a849d7ed09e2efb38f5424523651baf3326b5f95e05f6726f564ccc30

0f9156f91c387e7781603ed716dcdc3f5342ece96e155115708b1662b0f9b4d0

zziveastnews.com

upd9.com

upd7a.com

upd7.com

realsepnews.com

upd5.pro

greekpool.com

Attack Patterns

Black Basta - S1070

QuackBot

Pinkslipbot

QakBot - S0650

QBot

Storm-1811

T1218.005

T1053.005

T1059.003

T1059.001

T1059.007

T1071.001

T1486

T1057

T1105

T1566.001

T1133

T1059