Researchers uncover similar tools between FIN7 and Black Basta ransomware
According to security researchers from SentinelOne, the relatively new ransomware gang called Black Basta shares tooling and possibly personnel with the notorious FIN7 hacking group.
The researchers were able to uncover a tool that was used by Black Basta ransomware operators to bypass endpoint detection and response systems.
The malware used by Black Basta is used exclusively by the group and the same developer also creates a custom tool that can help them manipulate the graphic user interface of Windows Defender to prevent victims from knowing that it has been disabled by hackers.
One of the malware investigated was equipped with a backdoor called BIRDDOG. BIRDDOG has been used in several past FIN7 operations to signal a command-and-control server using the same bulletproof hosting services deployed by FIN7.
Although researchers discovered that the code samples found on public malware repositories use the same packer pre-dated the emergence of BIRDDOG by two months, but concluded that the packer used to compress BIRDDOG is an updated version.
“We assess it is likely the threat actor developing the impairment tool used by Black Basta is the same actor with access to the packer source code used in FIN7 operations, thus establishing for the first time a possible connection between the two groups. At this point, it’s likely that FIN7 or an affiliate began writing tools from scratch in order to disassociate their new operations from the old. Based on our analysis, we believe that the custom impairment tool described above is one such tool,” write SentinelOne researchers Antonio Cocomazzi and Antonio Pirozzi.
FIN7 is a cybercriminal group that allegedly operates from Russian territory and is associated with BlackMatter and Darkside ransomware. FIN7 group is believed to have been founded in 2013, with ransomware being sporadically put into operation in 2020. Attackers use several malware families such as CARBANAK, BIRDDOG, GRIFFON & DICELOADER. Once a backdoor has been gained, the group could continue to gain lateral movements within the system with an average dwell time of six to eight months before a ransomware is finally deployed.
The sources for this piece incident an article in SCMagazine.
Check out this news on our Youtube channher: https://bit.ly/3UCSY3n