WEBINAR | From Deal to Defense: Unifying Cybersecurity Post-M&A
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Find cyber threats that have evaded your defenses.
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Brands of the world trust ReliaQuest to achieve their security goals.
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
The latest white papers focused on security operations strategy, technology & insight.
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
February 20, 2024
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
Toward the latter half of Q4 2022, ReliaQuest discovered a security incident unfolding in a customer’s environment. A threat actor gained initial network access, rapidly escalated their privileges, and moved laterally, quickly establishing a foothold in 77 minutes.
We severed the foothold the adversary established and worked alongside the impacted customer to remediate the implications of the intrusion, but some valuable lessons should be taken away: many of the attackers’ actions were assisted by an accepted risk that, if avoided, could have prevented—or at least slowed—their advances.
The threat actors’ techniques—notably the use of “QBot” for initial access—suggested they are an affiliate of the “Black Basta” ransomware-as-a-service (RaaS) program. Ransomware remains, arguably, the most pernicious threat that businesses face in 2023. Let’s go over some simple changes that can often mean the difference between remediation and catastrophe.
Download the Q1 2023 Ransomware Report >
Also known as Qakbot, QuackBot, and Pinkslipbot, QBot is a banking trojan that was first observed in 2007. As observed with other prominent banking trojans, like “Emotet,” QBot has come to acquire many new functions and is consistently being developed to incorporate new techniques and capabilities. In addition to stealing financial details and personally identifiable information (PII), QBot can be used for lateral movement, detection evasion and debugging, and installing additional malware on compromised machines.
On September 29, 2022, we detected malicious activity after the deployment of Cobalt Strike Beacon and remote management software in a customer’s environment. The attacker achieved initial access via a phishing email delivered to end-user inboxes—having slipped past an overly permissive security solution.
This phishing email led to the deployment of the QBot malware and gave the attacker an initial foothold in the environment. They obtained valid service account credentials that were part of a domain administrator group, smoothing the path to move laterally and deploy other Cobalt Strike beacons.
The timeline of initial QBot execution to lateral movement, commonly known as the breakout time, was 77 minutes. (See Figure 1 for a timeline.) This is far quicker than most cases of this kind, which usually have a breakout time of around 2 hours.
The attacker’s actions had the whiff of a Black Basta affiliate, with Qbot activity widely reported as being a cornerstone of Black Basta intrusions. Black Basta is a splinter group that emerged after the “Conti” ransomware syndicate was quelled; its members moved on to alternative ransomware programs. The Black Basta group operates a ransomware-as-a-service (RaaS) program.
The phishing email that granted initial access was delivered on 26 Sep 2022. The attachment to the message was named REF#6547_SEP_28.HTML, which was rightly detected by Office 365 management as malicious: It was smuggling a ZIP file onto the targeted network, to deliver a QBot implant. The email’s content prompted the recipient to look at the attached file and approve its content.
The ZIP file was protected by the password that then appeared on the screen: abc333. Once opened, an ISO image was found within the zipped archive; if double-clicked, the ISO was mounted to disk. Within the new drive—which is created when the ISO is mounted—was a LNK file, which pointed at a JS file which in turn invokes script STICKLERBLOWN.CMD. Of course, this all starts with the user clicking on that LNK file.
This concluded the current QBot delivery chain, with QBot acting as both trojan and malware dropper to enable an initial foothold onto a target’s environment. Fake Adobe Acrobat updates have long been synonymous with the spread of malware, so nothing new here, but it continues to be effective as the software is free and widely used.
In this case, the attacker used the initial QBot foothold to deliver a Cobalt Strike beacon to the beachhead. Cobalt Strike and post-exploitation tools are typical follow-on payloads resulting from these infections. Often, commodity malware is used before moving on to a command-and-control (C2) implant of the attacker’s choosing to solidify their foothold on the network.
At this point, the threat actor pivoted from the QBot C2 channel to their newly established C2 channel provided by the Cobalt Strike beacon. It was an HTTPS beacon that communicated with its team server located at 194.165.16[.]95, similar to in other QBot campaigns of RaaS affiliates and initial access brokers (IABs). (We’ve written before about the increasing role of IABs in facilitating cybercrime.)
The attacker also used alternative HTTPs channels to communicate and maintain their foothold. They deployed and configured remote-access software AnyDesk, Atera, and Splashtop, which use the HTTPS protocol.
The use of commercial remote access software is common. Threat actors associated with Conti ransomware’s affiliate program often use Atera and AnyDesk. In this case, AnyDesk was installed following the identification and containment of Atera agents, which had been deployed to multiple compromised hosts. These agents were linked to email address UQUISKISESHLM[at]GMAIL[.]COM, which appears to be a random mix of letters; this was most likely conducted for OPSEC purposes.
Credential access was achieved after the threat actor used the Data Protection Application Programming Interface (DPAPI) to interact with a credential key for an account; DPAPI is used to protect personal data on the local system, including user credentials. This is a common target for credential harvesting, and in this case, it resulted in the account being compromised. Some of the most common tools—including Mimikatz which was also used during the incident—provide ways to interact with DPAPI to access credentials; Mimikatz is an open-source malware program used by hackers and penetration testers to gather credentials on Windows computers
During the intrusion, the attacker primarily made use of a service account with domain administrator privileges. It freed them to carry out objectives until the account was disabled, at which point the attacker pivoted to another valid account that was also a member of the domain administrators’ group. This quick pivot upon disabling their primary account was notable.
We were also able to identify another operation which highlights on the theme that the attacker liked to have several available options. We identified that the threat actor attempted to add an account named OLDADMINISTRATOR to the Local Administrators group, on hosts where a local account named ADMINN had been previously created. We never identified a further account creation for the account OLDADMINISTRATOR, which appeared odd. In the Conti affiliate manual, the affiliate is told to create the account OLDADMINISTRATOR with the password qc69t4B#Z0kE3 and then add that account to the Local Administrators group. What the actor did in this case is mistakenly attempted to add the account they were supposed to add to the Local Administrators group. Since the OLDADMINISTRATOR had not been created, this was ultimately unsuccessful.
Of all the details we uncovered, this was perhaps the most comical. Even with a playbook, human error is still inevitable. It was also somewhat surprising that Conti’s affiliates clearly follow the step-by-step rulebook to a T, even using predesignated passwords.
Windows binaries were used for network discovery including NET, ARP, ROUTE, NETSTAT, IPCONFIG, and WHOAMI; these were also seen as children processes of WERMGR.EXE. In this case, the Qbot infection was responsible for these discovery operations as the Qbot payload was being run in a memory space of the wermgr.exe process.
We also identified the attacker making use of a networking scanning tool later during this intrusion. The attacker was seen using the tool NETSCAN.EXE, which can scan hosts within the network for accessible network shares—another tool known to be used by Conti affiliates.
To move laterally, the attacker established remote desktop protocol (RDP) connections, including hijacking active RDP sessions on targeted hosts. They did this by using QUSER.EXE: a binary that can enumerate active RDP sessions on devices and identify new users in an environment. Some hijacking attempts failed, and some were successful.
By investigating events surrounding the failed RDP connections, we saw that the threat actor was accessing administrative shares; admin shares give system administrators remote access to every disk volume on a network-connected system. These shares included the IPC$ network share, which was likely used to establish a remote procedure call (RPC) or server message block (SMB) session. Again, this move was probably made to enable lateral movement.
For collection, the threat actor used QBot to start the process ESENTUTL.EXE, which is a Living off the Land binary (LOLBin) that provides copy functionality. QBot is known to harvest email data, but whether it did in this case isn’t known: A lack of command-line arguments in the host’s Windows event logs meant verification wasn’t possible.
Although ransomware operators are known to prioritize data exfiltration during intrusions, we didn’t find any evidence that this attacker stole data. We did find outbound connections to Cobalt Strike infrastructure (IP address 194.165.16[.]95), but they were likely for typical C2 traffic, rather than being conduits for exfiltrating data. No other tools commonly used for data exfiltration turned up during our investigation.
Throughout the event, this attacker used several defense evasion techniques including compressing an email payload, overpass the hash, and process injection. The threat actor archived the QBot payload into a disk image (ISO) file, and then compressed the disk image into a password-encrypted ZIP file to evade email security and Mark of the Web (MotW) controls implemented by Microsoft. They managed this by compressing the payload into a ZIP file-ISO image combination.
This threat actor also performed a sub-technique of pass the hash, known as overpass the hash: passing a targeted account’s New Technology LAN Manager (NTLM) hash to the Kerberos authentication provider, resulting in a successful Kerberos authentication.
Process injection was used by both the initial QBot payload (into WERMGR.EXE) and the subsequent deployment of Cobalt Strike (into WERFAULT.EXE).
Process Injection inserts arbitrary code into the address space of another process, giving the appearance that the injected (malicious) code was performed by a normal system process. This evades static detection and application control solutions.
After emerging in 2019, the Conti ransomware group became a top-tier ransomware group before collapsing in May 2022. The demise likely stemmed from a series of operational errors that led to a compromise of Conti’s infrastructure.
Chat logs taken from Conti were a treasure trove of intelligence for law enforcers and security researchers alike. (You might remember our previous blog exploring five lessons from the Conti breach.) The release of the chat logs also coincided with several other high-profile faux-pas by the group. These included supporting the Russian state during the onset of the war with Ukraine, and also revealed major attacks against the Costa Rican government.
As part of Conti’s splintering, many members unsurprisingly sought new employment in other ransomware groups. LockBit—which now accounts, overwhelmingly, for the largest market share of ransomware activity—was among the groups that probably welcomed a new intake of members from Conti. Several other groups have also reportedly splintered from Conti , notably the “Karakurt Hacking Team,” the “Royal” ransomware group, and Black Basta—those infamous actors attributed to this security incident.
Black Basta first emerged in April 2022, a month before Conti folded. As most major ransomware groups do, Black Basta uses double-extortion to solicit ransom payments, posting stolen data to its Basta News data-leak site if payment is not received within seven days. Black Basta is known to target a wide variety regions and sectors, but mainly construction and industrial goods and services in the US and Germany.
What’s the future for Black Basta and similar splinter groups? Well it’s likely that they’ll encounter increasing scrutiny from governments and law enforcement agencies. On 02 Feb 2023, the UK National Crime Agency and the US Department of the Treasury’s Office of Foreign Assets Control sanctioned seven individuals allegedly involved with Conti and “TrickBot” malware activity. Their real names, birthdates, email addresses, and photos were made public and their lives restricted. This is the first time the UK has sanctioned individuals involved with ransomware, and it’s not likely to be the last.
Those sanctions are part of a wider campaign, portending more arrests, disruptions, and infrastructure take-downs by international law enforcement in the next one to three months. It’s unlikely to have any direct impact on ransomware operations, but it’s the kind of scrutiny that often leads to the closure of threat groups—and the ever-predictable “whack-a-mole” effort to tackle ransomware. (Once a group goes down, you just know they’ll return in some fashion.) If Black Basta members are named and shamed in future sanctions or arrests, we might see another round of ransomware rebranding.
During the course of our investigation, we identified the threat actor using the following TTPs.
Visibility is one of the key ways organizations can minimize the risks posed by the abundant active cyber threats in 2023. You can’t secure what’s invisible to your incident responders, so ensuring effective logging coverings your assets is essential to detecting and responding to threats. The lack of logs forwarded to the SIEM meant ReliaQuest needed forensics images and event log exports to fill in most of the events in this incident. We’ve written before about the importance of maximizing business insights by improving logging activities.
Other steps you can take to avoid being impacted by QBot or ransomware activity are as follows.
ReliaQuest provides a “detection-in-depth” approach to attack coverage, which relies on proper logging being in place. This can be achieved by engaging with our GreyMatter platform, which provides a unified detection-investigation-response process, greatly increasing visibility of the various threats across your attack surface. Having better visibility into threats reduces complexity and helps efficiently manage risk for your business.