Black Basta has been using Microsoft Teams to impersonate corporate IT support and gain access to employee devices under the guise of helping with spam issues, it has emerged. This shift in tactics, documented by cybersecurity firm ReliaQuest, highlights a concerning adaptation in Black Basta’s strategies to infiltrate business networks.
An active ransomware group since April 2022, Black Basta has carried out numerous attacks on businesses worldwide. Traditionally, their approach has included sending a flood of non-malicious emails, such as newsletters, sign-up confirmations, and verification requests, to overwhelm the inboxes of targeted employees. This tactic served to frustrate the user and create a sense of urgency. In past campaigns, attackers would follow up with phone calls, posing as IT support to offer help with the spam issue and thereby gaining access to the employee’s device.
Ransomware operation expands with new tactics
This month, however, ReliaQuest researchers noted a significant change in Black Basta’s methods. Rather than relying on phone calls, the group has now been observed to contact employees directly through Microsoft Teams, using external user accounts to impersonate the IT help desk. By reaching out on a familiar corporate platform, the attackers aim to build credibility and convince the target to accept their assistance in resolving the alleged spam problem.
Earlier this year, Rapid7 and ReliaQuest issued advisories about a Black Basta campaign that targeted employees’ inboxes with massive volumes of emails. Although these emails were not harmful, the sheer volume was overwhelming. Black Basta operatives would then contact the overwhelmed employee, posing as IT staff and suggesting the installation of remote support tools like AnyDesk to help manage the influx of emails. Once installed, Black Basta could maintain remote access to corporate systems, using tools such as ScreenConnect, NetSupport Manager, and Cobalt Strike to sustain their control.
With Microsoft Teams now part of their strategy, Black Basta affiliates have been observed sending QR codes in chat messages, directing users to suspicious domains like qr-s1[.]com. Although the precise function of these QR codes remains unclear, researchers note that the external Microsoft Teams accounts originate from Russia, with Moscow time zone data consistently linked to the accounts.
“These external users set their profiles to a “DisplayName” designed to make the targeted user think they were communicating with a help-desk account,” reads the ReliaQuest report.
“In almost all instances we’ve observed, the display name included the string “Help Desk,” often surrounded by whitespace characters, which is likely to centre the name within the chat. We also observed that, typically, targeted users were added to a “OneOnOne” chat.”
The attackers’ objective is to manipulate the target into installing AnyDesk or activating Quick Assist, which would then allow them to gain full control over the employee’s device. Other researchers have also identified a file named AntispamConnectUS.exe on VirusTotal, flagged as SystemBC, a proxy malware previously associated with Black Basta’s tactics. Once the attackers gain access, they can install Cobalt Strike, giving them complete control over the compromised system and enabling them to push further into the network.
To counter the evolving Black Basta threat, ReliaQuest advises organisations to restrict external communication on Microsoft Teams, allowing it only from trusted domains if necessary. Additionally, enabling logging for specific events, such as ChatCreated, can help detect potentially suspicious activities in Teams, offering an extra layer of security oversight, advised the cybersecurity firm.