A sophisticated ransomware campaign targets organisations with advanced social engineering techniques designed to bypass security measures and exploit human vulnerabilities. Leveraging tools like Microsoft Teams and malicious QR codes, the attackers deceive employees into granting access to sensitive systems, ultimately aiming to deploy Black Basta ransomware and steal critical data.
The attackers employ a two-stage approach to gaining access to organisational systems. Initially, they inundate target users with a deluge of irrelevant emails, often by signing them up for numerous mailing lists. This ’email bombing’ disrupts normal workflow and sets the stage for a direct approach via Microsoft Teams.
Masquerading as internal IT support staff, the attackers use display names like ‘Help Desk’ or ‘Technical Support’ to lend credibility to their efforts. By exploiting Microsoft Teams’ external communication features, they trick users into downloading and executing remote management tools such as AnyDesk or QuickAssist.
![](https://candid.technology/wp-content/uploads/2024/12/BlackBasta-ransomware-Rapid7-ss1.jpg)
In a more concerning twist, the campaign has incorporated QR codes to circumvent multi-factor authentication (MFA). These QR codes direct users to malicious URLs that mimic legitimate company portals.
Recent observations by researchers indicate a notable sophistication in malware payloads and delivery mechanisms. The threat actors now use custom DLLs, obfuscated executables, and file-sharing services to distribute malware. Experts identified that the malware often includes credential harvesting tools like a revamped version of ‘AntiSpam.exe,’ now delivered as DLL files using system utilities such as ‘rundll32.exe.’
The campaign has seen the integration of new tools like Zbot and DarkGate, which are employed for data theft, persistence and further malicious activities. These tools are often packed using custom encryption techniques to evade detection.
![](https://candid.technology/wp-content/uploads/2024/12/BlackBasta-ransomware-Rapid7-ss2.jpg)
One of the techniques used by cyber crooks is credential harvesting. Updated tools can now save user credentials in files with random names to evade detection. User prompts are designed to appear legitimate, coercing victims into sharing sensitive information.
Operators distribute malware using compromised cloud services, such as SharePoint, and file-sharing websites. This approach circumvents security measures.
Threat actors deployed constantly updated strategies, with newer versions designed to evade the latest security defences.
These attacks aim to gain credentials, steal VPN configuration files, and bypass MFA, enabling direct access to enterprise environments. The attackers often seek to deploy ransomware, causing operational disruptions and data breaches.
To counter these threats, experts have urged organisations to restrict external communication in Microsoft Teams, enforce strict controls over remote management tools by standardising approved applications and blocking unapproved ones, and educate employees on identifying phishing attempts and social engineering tactics.
In the News: GoI has blocked 692 gambling sites since 2022