<strong>Black Basta Ransomware Ties With FIN7 Hackers To Deploy Custom Hacking & Evasion Tools</strong>

There is evidence found pointing to the connection between FIN7 (aka Carbanak), a financially motivated hacking group, and the Black Basta ransomware gang. 

The cybersecurity researchers at Sentinel Lab conducted an analysis in which they found this illicit connection between these two malicious groups.

A double-extortion attack model is the hallmark of Black Basta, and this ransomware gang has been active since April 2022. FIN7 on the other hand has been operating since 2015, and it’s a Russian hacking group that is financially motivated. 

In its attacks against organizations across the world, FIN7 used spear-phishing attacks and POS malware to deploy malware on POS terminals.

During tools analysis, researchers discovered that Black Basta’s exclusive usage of EDR evasion tools since June 2022 was found to have been authored by a FIN7 developer.

Researchers have also discovered two IP addresses and TTPs that are completely common in both the FIN7 hacking group and the Black Basta ransomware gang.

To carry out the initial compromise and other illicit activities, FIN7 teamed up with various ransomware gangs which include:-

Black Basta’s April 2022 operation showcased the gang’s previous sophisticated experience capabilities. As at that time the operators of Black Basta targeted multiple high-profile victims which persuaded several analysts that this might be the new variant of Conti.

Further, an executable packed with UPX was discovered during the analysis, and it’s a custom tool that is named “WindefCheck.exe.” Experts claimed that Visual Basic was used to compile the unpacked sample. 

As one of the main features of the application, it displays a fake Windows Security GUI and tray icon with the impression that the system is completely “healthy” and functioning perfectly.

To establish a connection to a C2 server at 45[.]67[.]229[.]148, BIRDDOG (aka SocksBot) backdoor has been used by the operators of the Black Basta ransomware gang, and it’s the same backdoor that is also used by FIN7 hacking group members.

FIN7 operations were often conducted by threat actors who had access to the source code of the packer and the impairment tool used by the Black Basta ransomware gang. 

There is no doubt that these connections are convincing evidence of the strong relationship between these two groups.

In the ever-expanding, changing, and evolving crimeware ecosystem, there are always new threats to confront. So, users need to stay updated with the latest evolving TTPs adopted by threat actors, since security solutions are not only the sole element that will completely protect.

Penetration Testing As a Service – Download Red Team & Blue Team Workspace

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.