Black Basta-linked attackers target users with SystemBC malware

August 14, 2024Ravi LakshmananMalware / Network Security

An ongoing social engineering campaign allegedly linked to the Black Basta ransomware group has been linked to “multiple intrusion attempts” aimed at stealing credentials and deploying a malware dropper called SystemBC.

“The initial bait used by attackers remains the same: an email bomb, followed by an attempt to call affected users and propose a fake solution,” Rapid7 said, adding that “external calls were typically made to affected users via Microsoft Teams.”

The attack chain then convinces the user to download and install legitimate remote access software called AnyDesk, which acts as a conduit for deploying further payloads and stealing sensitive data.

This involves the use of an executable file called “AntiSpam.exe” that supposedly downloads email spam filters and requests that users provide their Windows login credentials to complete the update.

This step is followed by the execution of several binaries, DLLs, and PowerShell scripts, including a Go-based HTTP signaling module that contacts the remote server, a SOCKS proxy, and SystemBC.

To minimize the risk of this threat, it is recommended to block all unapproved remote desktop solutions and remain vigilant for suspicious phone calls and text messages claiming to come from internal IT personnel.

The disclosure comes after SocGholish (also known as FakeUpdates), GootLoader, and Raspberry Robin became the most-observed loader strains in 2024, which then provide a foothold for ransomware, according to ReliaQuest data.

“GootLoader is new to the list of the top three most popular programs this year, replacing QakBot, whose activity has been declining,” the cybersecurity firm reported.

“Malware loaders are often advertised on dark web cybercriminal forums such as XSS and Exploit, where they are sold to cybercriminals looking to facilitate network intrusions and payload delivery. These loaders are often offered on subscription models, with monthly fees providing access to regular updates, support, and new features designed to avoid detection.”

One of the benefits of this subscription-based approach is that even cybercriminals with limited technical knowledge can use it to launch sophisticated attacks.

Phishing attacks have also been observed delivering information-stealing malware, known as 0bj3ctivity Stealer, via another loader, called Ande Loader, as part of a multi-layered distribution mechanism.

“The distribution of malware via obfuscated and encrypted scripts, memory injection techniques, and the continued enhancement of Ande Loader with features such as anti-debugging and string obfuscation underscore the need for advanced detection mechanisms and ongoing investigation,” eSentire said.

These campaigns are just the latest in a series of phishing and social engineering attacks that have been uncovered in recent weeks, even as threat actors increasingly use fake QR codes for malicious purposes –

• ClearFake campaign using infected websites to spread .NET malware under the pretext of downloading a Google Chrome update

• A campaign that uses fake websites impersonating HSBC, Santander, Virgin Money and Wise to deliver a copy of the AnyDesk Remote Monitoring and Management (RMM) software to Windows and macOS users, which is then used to steal confidential data

• A fake website (“win-rar(.)co”) that appears to be distributing WinRAR, a ransomware deployment tool, cryptocurrency mining and information theft tool called Kematian Stealer, hosted on GitHub

• A social media advertising campaign that takes over Facebook pages to promote a seemingly legitimate artificial intelligence (AI) photo editing website via paid ads that lure victims into downloading ITarian’s RMM tool and using it to deliver Lumma Stealer

“Targeting social media users for malicious activity underscores the importance of strong security measures to protect account credentials and prevent unauthorized access,” Trend Micro researchers said.