{
	"id": "ea1048a9-f212-43ff-831e-063a41bc3871",
	"created_at": "2026-04-06T00:06:16.860008Z",
	"updated_at": "2026-04-10T13:12:44.791972Z",
	"deleted_at": null,
	"sha1_hash": "b5ec59b0f99e09f63ec92a4c9ffaa86aa0eef6e3",
	"title": "Ransomware Attackers May Have Used Privilege Escalation Vulnerability as Zero-day",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 40866,
	"plain_text": "Ransomware Attackers May Have Used Privilege Escalation\r\nVulnerability as Zero-day\r\nBy About the Author\r\nArchived: 2026-04-02 12:26:35 UTC\r\nThe Cardinal cybercrime group (aka Storm-1811, UNC4393), which operates the Black Basta ransomware, may\r\nhave been exploiting a recently patched Windows privilege escalation vulnerability as a zero-day. \r\nThe vulnerability (CVE-2024-26169) occurs in the Windows Error Reporting Service. If exploited on affected\r\nsystems, it can permit an attacker to elevate their privileges. The vulnerability was patched on March 12, 2024,\r\nand, at the time, Microsoft said there was no evidence of its exploitation in the wild. However, analysis of an\r\nexploit tool deployed in recent attacks revealed evidence that it could have been compiled prior to patching,\r\nmeaning at least one group may have been exploiting the vulnerability as a zero-day. \r\nBlack Basta link\r\nThe exploit tool was deployed in a recent attempted ransomware attack investigated by Symantec’s Threat Hunter\r\nTeam. Although the attackers did not succeed in deploying a ransomware payload in this attack, the tactics,\r\ntechniques, and procedures (TTPs) used were highly similar to those described in a recent Microsoft report\r\ndetailing Black Basta activity. These included the use of batch scripts masquerading as software updates.\r\nAlthough no payload was deployed, the similarities in TTPs makes it highly likely it was a failed Black Basta\r\nattack. \r\nExploit tool\r\nAnalysis of the exploit tool revealed that it takes advantage of the fact that the Windows file werkernel.sys uses a\r\nnull security descriptor when creating registry keys. Because the parent key has a “Creator Owner” access control\r\nentry (ACE) for subkeys, all subkeys will be owned by users of the current process. The exploit takes advantage\r\nof this to create a \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution\r\nOptions\\WerFault.exe\" registry key where it sets the \"Debugger\" value as its own executable pathname. This\r\nallows the exploit to start a shell with administrative privileges. \r\nThe variant of the tool used in this attack\r\n(SHA256: 4aae231fb5357c0647483181aeae47956ac66e42b6b134f5b90da76d8ec0ac63) had a compilation time\r\nstamp of February 27, 2024, several weeks before the vulnerability was patched. \r\nA second variant of the tool discovered on Virus Total\r\n(SHA256: b73a7e25d224778172e394426c98b86215087d815296c71a3f76f738c720c1b0) had an earlier\r\ncompilation time stamp of December 18, 2023. \r\nhttps://www.security.com/threat-intelligence/black-basta-ransomware-zero-day\r\nPage 1 of 2\n\nTime stamp values in portable executables are modifiable, which means that a time stamp is not conclusive\r\nevidence that the attackers were using the exploit as a zero-day. However, in this case there appears to be little\r\nmotivation for the attackers to change the time stamp to an earlier date.\r\nRevived threat\r\nCardinal introduced Black Basta in April 2022 and from its inception, the ransomware was closely associated with\r\nthe Qakbot botnet, which appeared to be its primary infection vector. \r\nQakbot was one of the world’s most prolific malware distribution botnets until it was taken down following law\r\nenforcement action in August 2023. However, while the takedown led to a dip in Black Basta activity, Cardinal\r\nhas since resumed attacks and now appears to have switched to working with the operators of the DarkGate loader\r\nto obtain access to potential victims.\r\nProtection/Mitigation\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nIndicators of Compromise\r\nIf an IOC is malicious and the file is available to us, Symantec Endpoint products will detect and block that file.\r\n4aae231fb5357c0647483181aeae47956ac66e42b6b134f5b90da76d8ec0ac63 – Exploit tool\r\nb73a7e25d224778172e394426c98b86215087d815296c71a3f76f738c720c1b0 – Exploit tool\r\na31e075bd5a2652917f91714fea4d272816c028d7734b36c84899cd583181b3d – Batch script\r\n3b3bd81232f517ba6d65c7838c205b301b0f27572fcfef9e5b86dd30a1d55a0d – Batch script\r\n2408be22f6184cdccec7a34e2e79711ff4957e42f1ed7b7ad63f914d37dba625 – Batch script\r\nb0903921e666ca3ffd45100a38c11d7e5c53ab38646715eafc6d1851ad41b92e – ScreenConnect\r\nSource: https://www.security.com/threat-intelligence/black-basta-ransomware-zero-day\r\nhttps://www.security.com/threat-intelligence/black-basta-ransomware-zero-day\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.security.com/threat-intelligence/black-basta-ransomware-zero-day"
	],
	"report_names": [
		"black-basta-ransomware-zero-day"
	],
	"threat_actors": [
		{
			"id": "77b28afd-8187-4917-a453-1d5a279cb5e4",
			"created_at": "2022-10-25T15:50:23.768278Z",
			"updated_at": "2026-04-10T02:00:05.266635Z",
			"deleted_at": null,
			"main_name": "Inception",
			"aliases": [
				"Inception Framework",
				"Cloud Atlas"
			],
			"source_name": "MITRE:Inception",
			"tools": [
				"PowerShower",
				"VBShower",
				"LaZagne"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "908cf62e-45cd-492b-bf12-d0902e12fece",
			"created_at": "2024-08-20T02:00:04.543947Z",
			"updated_at": "2026-04-10T02:00:03.68848Z",
			"deleted_at": null,
			"main_name": "UNC4393",
			"aliases": [
				"Storm-1811",
				"CURLY SPIDER",
				"STAC5777"
			],
			"source_name": "MISPGALAXY:UNC4393",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6bc98fce-5e1c-46d8-9d1a-64b5cb5febc3",
			"created_at": "2025-04-23T02:00:55.20526Z",
			"updated_at": "2026-04-10T02:00:05.307504Z",
			"deleted_at": null,
			"main_name": "Storm-1811",
			"aliases": [
				"Storm-1811"
			],
			"source_name": "MITRE:Storm-1811",
			"tools": [
				"Black Basta",
				"Cobalt Strike",
				"Quick Assist",
				"BITSAdmin",
				"PsExec",
				"Impacket",
				"QakBot"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775433976,
	"ts_updated_at": 1775826764,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b5ec59b0f99e09f63ec92a4c9ffaa86aa0eef6e3.pdf",
		"text": "https://archive.orkl.eu/b5ec59b0f99e09f63ec92a4c9ffaa86aa0eef6e3.txt",
		"img": "https://archive.orkl.eu/b5ec59b0f99e09f63ec92a4c9ffaa86aa0eef6e3.jpg"
	}
}