The BlackBasta ransomware operation has moved its social engineering attacks to Microsoft Teams, posing as corporate help desks contacting employees to assist them with an ongoing spam attack.

Black Basta is a ransomware operation active since April 2022 and responsible for hundreds of attacks against corporations worldwide.

After the Conti cybercrime syndicate shut down in June 2022 following a series of embarrassing data breaches, the operation split into multiple groups, with one of these factions believed to be Black Basta.

Black Basta members breach networks through various methods, including vulnerabilities, partnering wish malware botnets, and social engineering.

In May,  Rapid7 and ReliaQuest released advisories on a new Black Basta social engineering campaign that flooded targeted employees’ inboxes with thousands of emails. These emails were not malicious in nature, mostly consisting of newsletters, sign-up confirmations, and email verifications, but they quickly overwhelmed a user’s inbox.

The threat actors would then call the overwhelmed employee, posing as their company’s IT help desk to help them with their spam problems.

During this voice social engineering attack, the attackers trick the person into installing the AnyDesk remote support tool or providing remote access to their Windows devices by launching the Windows Quick Assist remote control and screen-sharing tool.

From there, the attackers would run a script that installs various payloads, such as ScreenConnect, NetSupport Manager, and Cobalt Strike, which provide continued remote access to the user’s corporate device.

Now that the Black Basta affiliate has gained access to the corporate network, they would spread laterally to other devices while elevating privileges, stealing data, and ultimately deploying the ransomware encryptor.

Moving to Microsoft Teams

In a new report by ReliaQuest, researchers observed Black Basta affiliates evolving their tactics in October by now utilizing Microsoft Teams.

Like the previous attack, the threat actors first overwhelm an employee’s inbox with email.

However, instead of calling them, the attackers now contact employees through Microsoft Teams as external users, where they impersonate corporate IT help desk contacting the employee to assist them with their spam problem.

The accounts are created under Entra ID tenants that are named to appear to be help desk, like:

securityadminhelper.onmicrosoft[.]com
supportserviceadmin.onmicrosoft[.]com
supportadministrator.onmicrosoft[.]com
cybersecurityadmin.onmicrosoft[.]com

“These external users set their profiles to a “DisplayName” designed to make the targeted user think they were communicating with a help-desk account,” explains the new ReliaQuest report.

“In almost all instances we’ve observed, the display name included the string “Help Desk,” often surrounded by whitespace characters, which is likely to center the name within the chat. We also observed that, typically, targeted users were added to a “OneOnOne” chat.”

ReliaQuest says they have also seen the threat actors sending QR codes in the chats, which lead to domains like qr-s1[.]com. However, they could not determine what these QR codes are used for.

The researchers say that the external Microsoft Teams users originate from Russia, with the time zone data regularly being from Moscow.

The goal is to once again trick the target into installing AnyDesk or launching Quick Assist so the threat actors can gain remote access to their devices.

Once connected, the threat actors were seen installing payloads named  “AntispamAccount.exe,” “AntispamUpdate.exe,” and “AntispamConnectUS.exe.”

Other researchers have flagged AntispamConnectUS.exe on VirusTotal as SystemBC, a proxy malware that Black Basta used in the past.

Ultimately, Cobalt Strike is installed, providing full access to the compromised device to act as a springboard to push further into the network.

ReliaQuest suggests organizations restrict communication from external users in Microsoft Teams and, if required, only allow it from trusted domains. Logging should also be enabled, especially for the ChatCreated event, to find suspicious chats.