Threat actors previously associated with the Black Basta ransomware gang have continued leveraging Microsoft Teams phishing alongside Python script execution in new intrusions, indicating the ongoing regrouping of the ransomware operation following a steep decline stemming from its internal chat log leak earlier this year, The Hacker News reports.
Finance, insurance, and construction organizations have been subjected to Teams phishing attacks by former Black Basta members, with almost half of the incidents between February and May discovered to have been from onmicrosoft[.]com domains, according to an analysis from ReliaQuest. Initial access facilitated by Teams phishing was followed by the utilization of AnyDesk and QuickAssist remote desktop software for the eventual delivery of a malicious Python script for command-and-control communications. Aside from the potential migration of ex-Black Basta members to the CACTUS ransomware-as-a-service group, such findings also suggest the likely increased utilization of Python scripts in subsequent Teams phishing campaigns, said ReliaQuest researchers. Meanwhile, similar attack tactics were reported by Rapid7 to have been leveraged by the BlackSuit ransomware gang, which may have added former Black Basta members as affiliates.
Finance, insurance, and construction organizations have been subjected to Teams phishing attacks by former Black Basta members, with almost half of the incidents between February and May discovered to have been from onmicrosoft[.]com domains, according to an analysis from ReliaQuest. Initial access facilitated by Teams phishing was followed by the utilization of AnyDesk and QuickAssist remote desktop software for the eventual delivery of a malicious Python script for command-and-control communications. Aside from the potential migration of ex-Black Basta members to the CACTUS ransomware-as-a-service group, such findings also suggest the likely increased utilization of Python scripts in subsequent Teams phishing campaigns, said ReliaQuest researchers. Meanwhile, similar attack tactics were reported by Rapid7 to have been leveraged by the BlackSuit ransomware gang, which may have added former Black Basta members as affiliates.
