Security researchers at Sentinel Labs have uncovered evidence that links the Black Basta ransomware gang to the financially motivated hacking group FIN7, also known as “Carbanak.”
When analyzing tools used by the ransomware gang in attacks, the researchers found signs that a developer for FIN7 has also authored the EDR (Endpoint Detection and Response) evasion tools used exclusively by Black Basta since June 2022.
Further evidence linking the two includes IP addresses and specific TTPs (tactics, techniques, and procedures) used by FIN7 in early 2022 and seen months later in actual Black Basta attacks.
Background
FIN7 is a Russian-speaking, financially motivated hacking group that has been active since at least 2015, deploying POS malware and launching targeted spear-phishing attacks against hundreds of firms.
In 2020, the group started exploring the ransomware space, and by October 2021, it was revealed that it had set up its own network intrusion operation.
A 2022 Mandiant report explained that FIN7 was working with various ransomware gangs, including Maze, Ryuk, Darkside, and BlackCat/ALPHV, apparently carrying out the initial compromise.
Black Basta is a ransomware operation launched in April 2022, showing signs of previous experience by immediately announcing multiple high-profile victims and convincing many analysts it was a Conti rebrand, or at least contained members from the now-shutdown operation.
The new ransomware operation has kept a closed profile, not promoting itself as a ransomware-as-a-service or recruiting affiliates, indicating it may be a private group.
FIN7 developer
Starting from June 2022 and onwards, Black Basta was observed deploying a custom EDR evasion tool used exclusively by its members.
By digging deeper into this tool, Sentinel Labs found an executable, “WindefCheck.exe,” that displays a fake Windows Security GUI and tray icon that gives users the illusion that Windows Defender is working normally.
In the background, though, the malware disables Windows Defender, EDR, and antivirus tools, ensuring that nothing will jeopardize the data exfiltration and encryption process.
This tool is illustrated below, where the top image shows the fake Windows Security screen, with various security settings appearing to be enabled and protecting the device.
However, the screen underneath shows the actual status of these security settings being disabled.
The analysts retrieved more samples linked to that tool and found one packed with an unknown packer, which was identified as ‘SocksBot,’ a backdoor that FIN 7 has been using and developing since at least 2018.
Furthermore, the backdoor connects to a C2 IP address belonging to “pq.hosting,” a bulletproof hosting provider FIN7 trusts and uses regularly.
“We assess it is likely the threat actor developing the impairment tool used by Black Basta is the same actor with access to the packer source code used in FIN7 operations, thus establishing for the first time a possible connection between the two groups,” explains the report by Sentinel Labs.
Additional evidence of a connection between FIN7 and Black Basta concerns FIN7’s early 2022 experimentation with Cobalt Strike and Meterpreter C2 frameworks in simulated malware-dropping attacks.
The same activity using the exact custom tools, plugins, and delivery methods was observed many months later in actual attacks by Black Basta.
While these technical similarities point to Fin7 members being part of the Black Basta operation, it is still unclear whether they are just devs for the group, operators, or affiliates using their own tools during attacks.
For those interested in learning more about Black Basta’s TTPs, researcher Max Malyutin also published a report on Monday detailing how QBot infections and AV evasion are linked to the ultimate deployment of the group’s ransomware.