CyberSecurity news
FlagThis - #blacksuit
|
Tyler McGraw@Rapid7 Cybersecurity Blog
//
The BlackSuit ransomware group is continuing its campaign of social engineering attacks, a tactic that cybersecurity experts believe they adopted from the Black Basta ransomware group. This shift in tactics comes after Rapid7 observed a significant decrease in social engineering attacks attributed to Black Basta since late December 2024, possibly indicating a change in Black Basta's operations due to internal conflicts or other factors. BlackSuit's persistence in employing social engineering highlights the ongoing threat landscape where ransomware groups readily adapt and evolve their methods to maximize their success in breaching target networks.
The social engineering tactics employed by BlackSuit echo those previously used by Black Basta, including email bombing and Microsoft Teams phishing. According to a report from ReliaQuest in June 2025, attackers have recently begun incorporating Python scripts alongside these techniques, utilizing cURL requests to retrieve and deploy malicious payloads. This demonstrates an increasing sophistication in their approach, aimed at establishing persistent access to targeted systems and evading traditional security measures. These attacks often masquerade as legitimate communications, such as help desk personnel, to trick unsuspecting users into divulging sensitive information or executing malicious code. ReliaQuest's findings reveal that a substantial portion of Teams phishing attacks originated from onmicrosoft[.]com domains or breached domains, making it difficult to distinguish malicious traffic from legitimate network activity. The affected sectors include finance, insurance, and construction. This transition towards more sophisticated and stealthy methods poses a significant challenge to organizations, as they must enhance their detection capabilities to identify and mitigate these evolving threats effectively.
Share:
References :
Classification:
do son@securityonline.info
//
Cybersecurity analysts have uncovered a sophisticated campaign exploiting a fake Zoom installer to deliver BlackSuit ransomware across Windows-based systems. The attack, beginning with a malicious download from a website mimicking the teleconferencing application Zoom, lures unsuspecting victims into installing malware capable of crippling entire networks. When the victim clicked the “Download” button, they unknowingly triggered a chain reaction of events.
The fake installer, crafted with Inno Setup, hides the d3f@ckloader, a Pascal-based loader. After gaining initial access, the attackers deploy Brute Ratel and Cobalt Strike for lateral movement, using QDoor to facilitate RDP access. After 9 days, they deploy the BlackSuit ransomware across the network, deleting Volume Shadow Copies to hinder data recovery efforts before encrypting files and dropping ransom notes. The attackers also used WinRAR to compress file share data and uploaded the archives to Bublup, a cloud storage service for data exfiltration.
Share:
References :
Classification:
do son@securityonline.info
//
A recent cyberattack campaign has been uncovered, highlighting the use of a malicious Zoom installer to deploy BlackSuit ransomware. Threat actors are exploiting users by distributing a weaponized Zoom installer through a cloned website, ultimately gaining remote desktop protocol (RDP) access to targeted systems. This sophisticated intrusion begins when unsuspecting users download the fake installer, initiating a multi-stage malware deployment.
The malicious installer deploys a loader that downloads additional payloads, including SectopRAT malware, used for reconnaissance and credential harvesting. After a dwell period, threat actors then deploy Brute Ratel and Cobalt Strike for lateral movement across the network. The attackers exfiltrate data and ultimately distribute the BlackSuit ransomware, encrypting files and leaving ransom notes. This incident underscores the evolving tactics of cybercriminals who combine social engineering with advanced malware techniques to evade detection and maximize the impact of their attacks.
Share:
References :
Classification:
|