ClickCease Researchers uncover similar tools between FIN7 and Black Basta

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Researchers uncover similar tools between FIN7 and Black Basta ransomware

Obanla Opeyemi

November 14, 2022 - TuxCare expert team

According to security researchers from SentinelOne, the relatively new ransomware gang called Black Basta shares tooling and possibly personnel with the notorious FIN7 hacking group.

The researchers were able to uncover a tool that was used by Black Basta ransomware operators to bypass endpoint detection and response systems.

The malware used by Black Basta is used exclusively by the group and the same developer also creates a custom tool that can help them manipulate the graphic user interface of Windows Defender to prevent victims from knowing that it has been disabled by hackers.

One of the malware investigated was equipped with a backdoor called BIRDDOG. BIRDDOG has been used in several past FIN7 operations to signal a command-and-control server using the same bulletproof hosting services deployed by FIN7.

Although researchers discovered that the code samples found on public malware repositories use the same packer pre-dated the emergence of BIRDDOG by two months, but concluded that the packer used to compress BIRDDOG is an updated version.

“We assess it is likely the threat actor developing the impairment tool used by Black Basta is the same actor with access to the packer source code used in FIN7 operations, thus establishing for the first time a possible connection between the two groups. At this point, it’s likely that FIN7 or an affiliate began writing tools from scratch in order to disassociate their new operations from the old. Based on our analysis, we believe that the custom impairment tool described above is one such tool,” write SentinelOne researchers Antonio Cocomazzi and Antonio Pirozzi.

FIN7 is a cybercriminal group that allegedly operates from Russian territory and is associated with BlackMatter and Darkside ransomware. FIN7 group is believed to have been founded in 2013, with ransomware being sporadically put into operation in 2020. Attackers use several malware families such as CARBANAK, BIRDDOG, GRIFFON & DICELOADER. Once a backdoor has been gained, the group could continue to gain lateral movements within the system with an average dwell time of six to eight months before a ransomware is finally deployed.

The sources for this piece incident an article in SCMagazine.

Check out this news on our Youtube channher: https://bit.ly/3UCSY3n

Summary
Researchers uncover similar tools between FIN7 and Black Basta ransomware
Article Name
Researchers uncover similar tools between FIN7 and Black Basta ransomware
Description
A relatively new ransomware gang called Black Basta shares tooling and possibly personnel with the notorious FIN7 hacking group.
Author
Publisher Name
TuxCare
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Related Articles

How GPT models can be...

According to CyberArk researchers, GPT-based models like ChatGPT can be...

January 30, 2023

Attackers actively exploit Unpatched Control...

Malicious hackers have started exploiting a critical vulnerability CVE-2022-44877 in...

January 27, 2023

Attackers distribute malware via malicious...

Deep Instinct researchers reported that RATs like StrRAT and Ratty...

January 26, 2023

CircleCI partners AWS to identify...

According to CircleCI’s CTO, Rob Zuber, CircleCI is working with...

January 25, 2023

Cisco warns of authentication bypass...

A remote attacker could exploit multiple vulnerabilities in four Cisco...

January 24, 2023

IceID malware infiltrates Active Directory...

In a notable IcedID malware attack, the assailant impacted the...

January 23, 2023