{ "id": "efc1494e-853d-4f2f-bd5f-439bac81dda3", "created_at": "2026-04-06T00:10:56.57571Z", "updated_at": "2026-04-10T03:25:35.803354Z", "deleted_at": null, "sha1_hash": "6141f762d07d0e653a21844c62434306b1bedbdd", "title": "QBot: Laying the Foundations for Black Basta Ransomware Activity", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1163971, "plain_text": "QBot: Laying the Foundations for Black Basta Ransomware\r\nActivity\r\nBy ReliaQuest Threat Research Team 15 March 2023\r\nPublished: 2023-03-15 · Archived: 2026-04-05 19:07:59 UTC\r\nToward the latter half of Q4 2022, ReliaQuest discovered a security incident unfolding in a customer’s\r\nenvironment. A threat actor gained initial network access, rapidly escalated their privileges, and moved laterally,\r\nquickly establishing a foothold in 77 minutes.\r\nWe severed the foothold the adversary established and worked alongside the impacted customer to remediate the\r\nimplications of the intrusion, but some valuable lessons should be taken away: many of the attackers’ actions were\r\nassisted by an accepted risk that, if avoided, could have prevented—or at least slowed—their advances.\r\nThe threat actors’ techniques—notably the use of “QBot” for initial access—suggested they are an affiliate of the\r\n“Black Basta” ransomware-as-a-service (RaaS) program. Ransomware remains, arguably, the most . Let’s go over\r\nsome simple changes that can often mean the difference between remediation and catastrophe.\r\nWhat Is QBot?\r\nAlso known as Qakbot, QuackBot, and Pinkslipbot, QBot is a banking trojan that was first observed in 2007. As\r\nobserved with other prominent banking trojans, like “Emotet,” QBot has come to acquire many new functions and\r\nis consistently being developed to incorporate new techniques and capabilities. In addition to stealing financial\r\ndetails and personally identifiable information (PII), QBot can be used for lateral movement, detection evasion\r\nand debugging, and installing additional malware on compromised machines.\r\nAttack Overview: Stealth and Swiftness\r\nOn September 29, 2022, we detected malicious activity after the deployment of Cobalt Strike Beacon and remote\r\nmanagement software in a customer’s environment. The attacker achieved initial access via a phishing email\r\ndelivered to end-user inboxes—having slipped past an overly permissive security solution.\r\nThis phishing email led to the deployment of the QBot malware and gave the attacker an initial foothold in the\r\nenvironment. They obtained valid service account credentials that were part of a domain administrator group,\r\nsmoothing the path to move laterally and deploy other Cobalt Strike beacons.\r\nThe timeline of initial QBot execution to lateral movement, commonly known as the breakout time, was 77\r\nminutes. (See Figure 1 for a timeline.) This is far quicker than most cases of this kind, which usually have a\r\nbreakout time of around 2 hours.\r\nhttps://www.reliaquest.com/blog/qbot-black-basta-ransomware/\r\nPage 1 of 12\n\nThe attacker’s actions had the whiff of a Black Basta affiliate, with Qbot activity widely reported as being a\r\ncornerstone of Black Basta intrusions. Black Basta is a splinter group that emerged after the “Conti” ransomware\r\nsyndicate was quelled; its members moved on to alternative ransomware programs. The Black Basta group\r\noperates a ransomware-as-a-service (RaaS) program.\r\nKill Chain Details: Where Did It All Go Wrong?\r\nInitial Access\r\nThe phishing email that granted initial access was delivered on 26 Sep 2022. The attachment to the message was\r\nnamed REF#6547_SEP_28.HTML, which was rightly detected by Office 365 management as malicious: It was\r\nsmuggling a ZIP file onto the targeted network, to deliver a QBot implant. The email’s content prompted the\r\nrecipient to look at the attached file and approve its content.\r\nExecution\r\nhttps://www.reliaquest.com/blog/qbot-black-basta-ransomware/\r\nPage 2 of 12\n\nExecution was achieved by HTML smuggling. Upon opening the HTML file in an email client, the screen\r\npictured in Figure 2 was shown and the user was asked to download it locally. After they did so and opened the\r\nHTML file in a browser, an encoded JavaScript binary large object (BLOB) surfaced. The BLOB then constructed\r\nand automatically downloaded a ZIP file to the user’s disk.\r\nThe ZIP file was protected by the password that then appeared on the screen: abc333 . Once opened, an ISO\r\nimage was found within the zipped archive; if double-clicked, the ISO was mounted to disk. Within the new drive\r\n—which is created when the ISO is mounted—was a LNK file, which pointed at a JS file which in turn invokes\r\nscript STICKLERBLOWN.CMD . Of course, this all starts with the user clicking on that LNK file.\r\nThis concluded the current QBot delivery chain, with QBot acting as both trojan and malware dropper to enable\r\nan initial foothold onto a target’s environment. Fake Adobe Acrobat updates have long been synonymous with the\r\nspread of malware, so nothing new here, but it continues to be effective as the software is free and widely used.\r\nIn this case, the attacker used the initial QBot foothold to deliver a Cobalt Strike beacon to the beachhead. Cobalt\r\nStrike and post-exploitation tools are typical follow-on payloads resulting from these infections. Often,\r\ncommodity malware is used before moving on to a command-and-control (C2) implant of the attacker’s choosing\r\nto solidify their foothold on the network.\r\nCommand-and-Control\r\nAt this point, the threat actor pivoted from the QBot C2 channel to their newly established C2 channel provided\r\nby the Cobalt Strike beacon. It was an HTTPS beacon that communicated with its team server located at\r\n194.165.16[.]95, similar to in other QBot campaigns of RaaS affiliates and initial access brokers (IABs). (We’ve\r\nwritten before about the increasing role of IABs in facilitating cybercrime.)\r\nhttps://www.reliaquest.com/blog/qbot-black-basta-ransomware/\r\nPage 3 of 12\n\nThe attacker also used alternative HTTPs channels to communicate and maintain their foothold. They deployed\r\nand configured remote-access software AnyDesk, Atera, and Splashtop, which use the HTTPS protocol.\r\nThe use of commercial remote access software is common. Threat actors associated with Conti ransomware’s\r\naffiliate program often use Atera and AnyDesk. In this case, AnyDesk was installed following the identification\r\nand containment of Atera agents, which had been deployed to multiple compromised hosts. These agents were\r\nlinked to email address UQUISKISESHLM[at]GMAIL[.]COM, which appears to be a random mix of letters;\r\nthis was most likely conducted for OPSEC purposes.\r\nCredential Access\r\nCredential access was achieved after the threat actor used the Data Protection Application Programming Interface\r\n(DPAPI) to interact with a credential key for an account; DPAPI is used to protect personal data on the local\r\nsystem, including user credentials. This is a common target for credential harvesting, and in this case, it resulted in\r\nthe account being compromised. Some of the most common tools—including Mimikatz which was also used\r\nduring the incident—provide ways to interact with DPAPI to access credentials; Mimikatz is an open-source\r\nmalware program used by hackers and penetration testers to gather credentials on Windows computers\r\nPrivilege Escalation and Persistence\r\nDuring the intrusion, the attacker primarily made use of a service account with domain administrator privileges. It\r\nfreed them to carry out objectives until the account was disabled, at which point the attacker pivoted to another\r\nvalid account that was also a member of the domain administrators’ group. This quick pivot upon disabling their\r\nprimary account was notable.\r\nWe were also able to identify another operation which highlights on the theme that the attacker liked to have\r\nseveral available options. We identified that the threat actor attempted to add an account named\r\nOLDADMINISTRATOR to the Local Administrators group, on hosts where a local account named ADMINN\r\nhad been previously created. We never identified a further account creation for the account\r\nOLDADMINISTRATOR, which appeared odd. In the Conti affiliate manual, the affiliate is told to create the\r\naccount OLDADMINISTRATOR with the password qc69t4B#Z0kE3 and then add that account to the Local\r\nAdministrators group. What the actor did in this case is mistakenly attempted to add the account they were\r\nsupposed to add to the Local Administrators group. Since the OLDADMINISTRATOR had not been created, this\r\nwas ultimately unsuccessful.\r\nOf all the details we uncovered, this was perhaps the most comical. Even with a playbook, human error is still\r\ninevitable. It was also somewhat surprising that Conti’s affiliates clearly follow the step-by-step rulebook to a T,\r\neven using predesignated passwords.\r\nhttps://www.reliaquest.com/blog/qbot-black-basta-ransomware/\r\nPage 4 of 12\n\nDiscovery\r\nWindows binaries were used for network discovery including NET, ARP, ROUTE, NETSTAT, IPCONFIG, and\r\nWHOAMI; these were also seen as children processes of WERMGR.EXE. In this case, the Qbot infection was\r\nresponsible for these discovery operations as the Qbot payload was being run in a memory space of the\r\nwermgr.exe process.\r\nWe also identified the attacker making use of a networking scanning tool later during this intrusion. The attacker\r\nwas seen using the tool NETSCAN.EXE, which can scan hosts within the network for accessible network shares\r\n—another tool known to be used by Conti affiliates.\r\nhttps://www.reliaquest.com/blog/qbot-black-basta-ransomware/\r\nPage 5 of 12\n\nLateral Movement\r\nTo move laterally, the attacker established remote desktop protocol (RDP) connections, including hijacking active\r\nRDP sessions on targeted hosts. They did this by using QUSER.EXE: a binary that can enumerate active RDP\r\nsessions on devices and identify new users in an environment. Some hijacking attempts failed, and some were\r\nsuccessful.\r\nhttps://www.reliaquest.com/blog/qbot-black-basta-ransomware/\r\nPage 6 of 12\n\nBy investigating events surrounding the failed RDP connections, we saw that the threat actor was accessing\r\nadministrative shares; admin shares give system administrators remote access to every disk volume on a network-connected system. These shares included the IPC$ network share, which was likely used to establish a remote\r\nprocedure call (RPC) or server message block (SMB) session. Again, this move was probably made to enable\r\nlateral movement.\r\nCollection and Exfiltration\r\nFor collection, the threat actor used QBot to start the process ESENTUTL.EXE, which is a Living off the Land\r\nbinary (LOLBin) that provides copy functionality. QBot is known to harvest email data, but whether it did in this\r\ncase isn’t known: A lack of command-line arguments in the host’s Windows event logs meant verification wasn’t\r\npossible.\r\nhttps://www.reliaquest.com/blog/qbot-black-basta-ransomware/\r\nPage 7 of 12\n\nAlthough ransomware operators are known to prioritize data exfiltration during intrusions, we didn’t find any\r\nevidence that this attacker stole data. We did find outbound connections to Cobalt Strike infrastructure (IP address\r\n194.165.16[.]95), but they were likely for typical C2 traffic, rather than being conduits for exfiltrating data. No\r\nother tools commonly used for data exfiltration turned up during our investigation.\r\nDefense Evasion\r\nThroughout the event, this attacker used several defense evasion techniques including compressing an email\r\npayload, overpass the hash, and process injection. The threat actor archived the QBot payload into a disk image\r\n(ISO) file, and then compressed the disk image into a password-encrypted ZIP file to evade email security and\r\nMark of the Web (MotW) controls implemented by Microsoft. They managed this by compressing the payload\r\ninto a ZIP file-ISO image combination.\r\nThis threat actor also performed a sub-technique of pass the hash, known as overpass the hash: passing a targeted\r\naccount’s New Technology LAN Manager (NTLM) hash to the Kerberos authentication provider, resulting in a\r\nsuccessful Kerberos authentication.\r\nProcess injection was used by both the initial QBot payload (into WERMGR.EXE) and the subsequent\r\ndeployment of Cobalt Strike (into WERFAULT.EXE).\r\nProcess Injection inserts arbitrary code into the address space of another process, giving the appearance that the\r\ninjected (malicious) code was performed by a normal system process. This evades static detection and application\r\ncontrol solutions.\r\nBlack Basta’s Conti-Linked Heritage\r\nAfter emerging in 2019, the Conti ransomware group became a top-tier ransomware group before collapsing in\r\nMay 2022. The demise likely stemmed from a series of operational errors that led to a compromise of Conti’s\r\nhttps://www.reliaquest.com/blog/qbot-black-basta-ransomware/\r\nPage 8 of 12\n\ninfrastructure.\r\nChat logs taken from Conti were a treasure trove of intelligence for law enforcers and security researchers alike.\r\n(You might remember our previous blog exploring five lessons from the Conti breach.) The release of the chat\r\nlogs also coincided with several other high-profile faux-pas by the group. These included supporting the Russian\r\nstate during the onset of the war with Ukraine, and also revealed major attacks against the Costa Rican\r\ngovernment.\r\nConti Splinters, Members Move On\r\nAs part of Conti’s splintering, many members unsurprisingly sought new employment in other ransomware\r\ngroups. LockBit—which now accounts, overwhelmingly, for the largest market share of ransomware activity—\r\nwas among the groups that probably welcomed a new intake of members from Conti. Several other groups have\r\nalso reportedly splintered from Conti , notably the “Karakurt Hacking Team,” the “Royal” ransomware group, and\r\nBlack Basta—those infamous actors attributed to this security incident.\r\nBlack Basta first emerged in April 2022, a month before Conti folded. As most major ransomware groups do,\r\nBlack Basta uses double-extortion to solicit ransom payments, posting stolen data to its Basta News data-leak site\r\nif payment is not received within seven days. Black Basta is known to target a wide variety regions and sectors,\r\nbut mainly construction and industrial goods and services in the US and Germany.\r\nBlack Basta Forecast: Stormy Weather\r\nWhat’s the future for Black Basta and similar splinter groups? Well it’s likely that they’ll encounter increasing\r\nscrutiny from governments and law enforcement agencies. On 02 Feb 2023, the UK National Crime Agency and\r\nthe US Department of the Treasury’s Office of Foreign Assets Control sanctioned seven individuals allegedly\r\ninvolved with Conti and “TrickBot” malware activity. Their real names, birthdates, email addresses, and photos\r\nhttps://www.reliaquest.com/blog/qbot-black-basta-ransomware/\r\nPage 9 of 12\n\nwere made public and their lives restricted. This is the first time the UK has sanctioned individuals involved with\r\nransomware, and it’s not likely to be the last.\r\nThose sanctions are part of a wider campaign, portending more arrests, disruptions, and infrastructure take-downs\r\nby international law enforcement in the next one to three months. It’s unlikely to have any direct impact on\r\nransomware operations, but it’s the kind of scrutiny that often leads to the closure of threat groups—and the ever-predictable “whack-a-mole” effort to tackle ransomware. (Once a group goes down, you just know they’ll return\r\nin some fashion.) If Black Basta members are named and shamed in future sanctions or arrests, we might see\r\nanother round of ransomware rebranding.\r\nMITRE TTPs\r\nDuring the course of our investigation, we identified the threat actor using the following TTPs.\r\nKill Chain Phase MITRE TTP\r\nInitial Access Phishing (T1566)\r\nExecution User Execution: Malicious Image (T1204.003 )\r\nExecution System Services: Service Execution (T1569.002)\r\nCommand and Control Ingress Tool Transfer (T1105)\r\nCommand and Control Application Layer Protocol: Web Protocols (T1071.001)\r\nCommand and Control Protocol Tunnelling (T1572)\r\nCommand and Control Remote Access Software (T1219)\r\nCredential Access Credentials From Password Stores (T1555)\r\nPrivilege Escalation Valid Accounts (T1078)\r\nhttps://www.reliaquest.com/blog/qbot-black-basta-ransomware/\r\nPage 10 of 12\n\nPersistence Create Accounts: Local Account (T1136.001)\r\nDiscovery System Network Connections Discovery (T1049)\r\nDiscovery Network Share Discovery (T1018)\r\nLateral Movement Remote Services: remote Desktop Protocl (T1021.001)\r\nLateral Movement Remote Services: SMB/Windows Admin Shares (T1021.002)\r\nLateral Movement Remote Service Session Hijacking: RDP Hijacking (T1536.002)\r\nCollection Data From Local System (T1005)\r\nDefense Evasion Subvert Trust Controls: Mark-of-the-Web Bypass (T1553.005)\r\nDefense Evasion Use Alternate Authentication Material: Pass the Hash (T1550.002)\r\nDefense Evasion Process Injection (T1055)\r\nRetaining Ransomware Resilience\r\norganizations can minimize the risks posed by the abundant active cyber threats in 2023. You can’t secure what’s\r\ninvisible to your incident responders, so ensuring effective logging coverings your assets is essential to detecting\r\nand responding to threats. The lack of logs forwarded to the SIEM meant ReliaQuest needed forensics images and\r\nevent log exports to fill in most of the events in this incident. We’ve written before about the importance of\r\nmaximizing business insights by improving logging activities.\r\nOther steps you can take to avoid being impacted by QBot or ransomware activity are as follows.\r\nReliaQuest provides a “detection-in-depth” approach to attack coverage, which relies on proper logging being in\r\nplace. This can be achieved by engaging with our GreyMatter platform, which provides a unified detection-investigation-response process, greatly increasing visibility of the various threats across your attack surface.\r\nHaving better visibility into threats reduces complexity and helps efficiently manage risk for your business.\r\nhttps://www.reliaquest.com/blog/qbot-black-basta-ransomware/\r\nPage 11 of 12\n\nSource: https://www.reliaquest.com/blog/qbot-black-basta-ransomware/\r\nhttps://www.reliaquest.com/blog/qbot-black-basta-ransomware/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.reliaquest.com/blog/qbot-black-basta-ransomware/" ], "report_names": [ "qbot-black-basta-ransomware" ], "threat_actors": [ { "id": "6ad410c7-e291-4327-a54b-281c23f0d4fa", "created_at": "2022-10-25T16:07:24.501468Z", "updated_at": "2026-04-10T02:00:05.013427Z", "deleted_at": null, "main_name": "Karakurt", "aliases": [ "Mushy Scorpius" ], "source_name": "ETDA:Karakurt", "tools": [ "7-Zip", "Agentemis", "AnyDesk", "Cobalt Strike", "CobaltStrike", "FileZilla", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "WinZip", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "2af9bea3-b43e-4a6d-8dc6-46dad6e3ff24", "created_at": "2022-10-25T16:47:55.853415Z", "updated_at": "2026-04-10T02:00:03.856263Z", "deleted_at": null, "main_name": "GOLD TOMAHAWK", "aliases": [ "Karakurt", "Karakurt Lair", "Karakurt Team" ], "source_name": "Secureworks:GOLD TOMAHAWK", "tools": [ "7-Zip", "AnyDesk", "Mega", "QuickPacket", "Rclone", "SendGB" ], "source_id": "Secureworks", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "079e3d6e-24ef-42b0-b555-75c288f9efd8", "created_at": "2023-03-04T02:01:54.105946Z", "updated_at": "2026-04-10T02:00:03.359009Z", "deleted_at": null, "main_name": "Karakurt", "aliases": [ "Karakurt Lair" ], "source_name": "MISPGALAXY:Karakurt", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434256, "ts_updated_at": 1775791535, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6141f762d07d0e653a21844c62434306b1bedbdd.pdf", "text": "https://archive.orkl.eu/6141f762d07d0e653a21844c62434306b1bedbdd.txt", "img": "https://archive.orkl.eu/6141f762d07d0e653a21844c62434306b1bedbdd.jpg" } }