LevelBlue’s Response to Black Basta Ransomware:

Executive Summary

Between December 2024 and February 2025, the LevelBlue MDR staff noticed over a dozen makes an attempt and a handful of profitable intrusions by risk actors (TAs). Internally, we broadly attribute these assaults to the Black Basta ransomware gang. As outlined by different cybersecurity researchers’ reporting of comparable ways, strategies, and procedures (TTPs) noticed; there’s a excessive chance that this exercise is from affiliate teams or preliminary entry brokers. The data introduced under is a compilation of notes, particulars, suggestions, and steering offered to our clients within the final couple of months ensuing from dozens of opened investigations and incident response engagements. By taking or recommending system and enterprise adjustments outlined, organizations can drastically cut back their assault floor, implement a stronger defense-in-depth safety mannequin, in addition to extra shortly detect and thus comprise an intrusion by this ever-prevalent risk and lots of others prefer it. Read the total whitepaper right here.

Initial Access

The TA begins by e-mail bombing particular customers within the surroundings. This can vary wherever from a pair hundred to hundreds of spam and junk emails. They then comply with up this exercise by reaching out to those customers by way of a telephone name or a Microsoft Teams message, with chats named some variation of “Help Desk”. The TA tells the consumer that they’ve seen the spam emails and can want entry to their machine to treatment the difficulty. The most typical device used to achieve preliminary entry to a sufferer machine is Microsoft’s Quick Assist, which is pre-installed on Windows 10 and better. The TA supplies the sufferer a code to make use of when establishing the connection – as soon as enter, the TA may have distant entry to the machine and start establishing persistence after the Quick Assist session is ended. In each case the place we noticed the execution of Quick Assist, a zipper archive was created throughout the Downloads folder. In reviewing some circumstances, we’ve noticed that the TA has began password defending zip folders containing instruments, however these preliminary recordsdata usually are not password protected. During the final buyer intrusion we responded to, two .cab recordsdata had been contained in the zip, and throughout the .cab recordsdata had been the reliable OneDriveStandaloneUpdater.exe together with a malicious DLL file to be sideloaded and extra recordsdata wanted for lateral motion.

Figure 1: Creation of a zipper archive utilizing cmd exe in the course of the Quick Assist session. The TA extracts the recordsdata from the archive with tar:

tar xf wsqf418x4324.zip -C "C:Users[REDACTED]AppDataLocalTemp"

Next, the TA expands the 2 cab recordsdata that had been inside:

• broaden -i "C:Users[REDACTED]AppDataLocalTempsymssdifdsook.cab" -F:* "C:Users[REDACTED]AppDataLocalMicrosoftOneDrive"
• broaden "C:Users[REDACTED]AppDataLocalTempdifjsfhcx.cab" -F:* "C:Users[REDACTED]AppDataLocalMicrosoftOneDrive"

After the 2 .cab recordsdata are deleted, the OneDriveStandaloneUpdater is executed from the OneDrive folder and it sideloads wininet.dll from the identical listing. DLL sideloading happens due to DLL search order hijacking – the DLLs of an executable are normally loaded from a particular location or from reminiscence. However, if the appliance has not specified the placement of the DLL and it’s not in reminiscence, it should load them on this order:

1. The listing from which the appliance is loaded.
2. C:WindowsSystem32
3. C:WindowsSystem
4. C:Windows
5. The present working listing
6. Directories within the system PATH surroundings variable
7. Directories within the consumer PATH surroundings variable

Because this specific utility doesn’t specify the trail of the DLLs to be loaded, the wininet.dll throughout the OneDrive folder is loaded, placing the malicious code into reminiscence. The DLL sideloading approach with OneDriveStandaloneUpdater.exe has been noticed in each occasion the risk actor was in a position to acquire entry by way of Quick Assist. More lately, we now have seen wininet.dll leveraged and have additionally beforehand seen winhttp.dll. It may be doable for the risk actor to additionally use the next imported DLLs:

With the implant operating and a brand new scheduled activity to make sure OneDriveStandaloneUpdater.exe runs on startup, the TA now has one avenue of persistent entry to the sufferer machine and the Quick Assist connection is closed out.

Recommendations

• Implement a Microsoft Teams configuration solely permitting whitelisted/federated domains to succeed in out to your inside customers. Another step could be to disable incoming and outgoing chats and calls with Skype customers (except wanted for enterprise continuity).
• Remove Quick Assist from all end-user machines except explicitly required for enterprise and IT companies. Our clients have been leveraging GPO and CCM to take away the appliance, in addition to blocking domains associated to the Quick Assist service:
  • remoteassistance.assist.companies.microsoft.com
  • *.relay.assist.companies.microsoft.com
• Follow steering within the Persistence part of this report on stopping the obtain and execution of distant monitoring and administration (RMM) software program, as this TA may have victims obtain different instruments if Quick Assist shouldn’t be out there.
• Educate customers on this risk vector and supply steering on processes your inside IT staff will take earlier than reaching out to them (both by Teams or over the telephone), or a verification course of that’s to be adopted. Threats that require the sufferer to repeat and paste instructions, both as a drive-by compromise or by way of phishing/vishing are on the rise; a consideration right here could be limiting the power of end-users operating instructions in command immediate or PowerShell.

For indicators of compromise in preliminary entry, in addition to a deep-dive into the next levels of a Black Basta assault: Discovery, Credential Access, Lateral Movement, Persistence, and Exfiltration, in addition to our professional steering on containment and remediation, you should definitely obtain our complete whitepaper right here.