07 December 2023

Black Basta Ransomware hackers infiltrates networks via Qakbot to deploy Brute Ratel C4

Cybercriminals from the Black Basta ransomware group have been observed using the Qakbot Trojan to deploy the Brute Ratel C4 framework as a second stage payload in recent attacks.

According to Trend Micro, this is the first time the Brute Ratel C4 penetration testing tool has been distributed via a Qakbot infection. The intrusion, carried out using a phishing email containing a link to a ZIP archive, also involved the use of Cobalt Strike for lateral movement. These utilities are basic legitimate tools designed to perform penetration testing, but their ability to provide remote access has also made them ideal for attackers who wish to probe compromised systems for extended periods of time. The impact of this use can therefore be significant as it increases the capabilities of attackers exponentially by allowing them to conduct intelligence actions during and after actions on their targets.