Black Basta Leverages New Social Engineering Technique

Black Basta, a ransomware group active since at least April 2022, is deploying a new social engineering tactic using Microsoft Teams in an active campaign. The ransomware group floods victim inboxes with thousands of non-malicious emails consisting of newsletters, sign-up confirmations, and email verifications that overwhelm the user’s inbox. Then, posing as the victim company’s IT help desk, the attacker messages the victim on Microsoft Teams and convinces the user to install a remote desktop support tool such as AnyDesk, eventually providing the threat actor remote access to their machine.

What’s Notable and Unique 

• Once attackers have initial access to the victim’s environment, they are able to install other malware and tools, including ScreenConnect, NetSupport Manager, and Cobalt Strike, for lateral movement and privilege escalation.
• Threat actors contact the victims on Microsoft Teams as external users with names that appear to be help desk-related, such as “supportadministrator.omnicosoft[.]com,” giving the actor additional credibility to the potential victim.
• Initially, threat actors contacted victims through phone calls, however, initial contact through Teams likely adds an additional layer of credibility in the eyes of the victim.

Analyst Comments 

The utilization of Microsoft Teams for social engineering shows an increased level of sophistication in the group’s tactics. Creating scenarios of high stress for targets, combined with using communication methods that the victim feels familiar with, could lead to a higher level of success in social engineering attempts. Arete will continue monitoring for any evolutions of this tactic or other groups adopting the tactic.

Sources

Ongoing Social Engineering Campaign Linked to Black Basta Ransomware Operators

Black Basta ransomware poses as IT support on Microsoft Teams to breach networks