Hunting Black Basta’s Cobalt Strike

Intel-Ops
5 min readMay 13, 2024

--

Last week, the FBI and CISA released a #StopRansomware alert for the Black Basta ransomware group: https://www.cisa.gov/sites/default/files/2024-05/aa24-131a-joint-csa-stopransomware-black-basta_0.pdf

During 2024, the group is third only to LockBit and Play in total ransomware victims. Notably, the advisory highlights the group’s utilization of Cobalt Strike (table 10 — “known Black Basta Cobalt Strike server domains”).

Intel-Ops is actively tracking Cobalt Strike servers in the wild, including those deployed by Black Basta. In this post, we’ll highlight some key findings from our analysis of C2 servers included in the FBI/CISA advisory, including C2 servers not released in the advisory or servers not publicly tracked as malicious or associated with Black Basta.

If you are spending this week hunting and monitoring for Black Basta Cobalt Strike servers, reach out about our C2 feed and additional indicators that Intel-Ops is tracking.

Black Basta’s Cobalt Strike Graph:

Using Validin’s “Bulk Analyzer” tool we can quickly resolve the domains in the advisory to active IP addresses and to understand patterns in hosting over time and produce the correlations for our Maltego graph:

Findings

  • Black Basta infrastructure can be grouped into distinct clusters, some of which will be highlighted below.
  • The dominant watermarks observed within Black Basta infrastructure were 1357776117 & 1158277545.
  • The majority of Cobalt Strike servers are hosted on Vult Hosting LLC (AS-CHOOPA), JW Lucasweg 35, Digital Ocean and Servinga.

Cluster 1

The majority of Cobalt Strike servers identified as operated by Black Basta utilize DNS beacons: https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/listener-infrastructue_beacon-dns.htm. Based on our analytics, the IOCs from the advisory are almost exclusively hosted on the top 3 providers: Vultr, Lucasweg and Digital Ocean.

Based on our investigations, at least 6 additional DNS Cobalt Strike beacons are hosted on these providers. Intel-Ops has identified similar C2s on other providers. Newly identified domains such as “thenewbees[.]org” also match the naming convention of other DNS beacons also listed in the advisory.

Example DNS Beacon in Intel-Ops Cluster 1:

Cluster 2

The domain “usaglobalnews[.]org” appears to form part of a larger cluster of Cobalt Strike beacons. Within Intel-Ops Cluster 2, two domains have previously been publicly reported as involved in Black Basta incidents involving Pikabot. E.g. the domain “ruggioil[.]com” and “bluenetworking[.]net” were both attributed to an incident in December 2023 by Trend Micro:

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/a/a-look-into-pikabot-spam-wave-campaign/ioc-pikabot-spam-campaign.txt

Example Cobalt Strike servers in Intel-Ops Cluster 2:

Cluster 3

Within Intel-Ops Cluster 3, we have observed 3 advisory domains, of which are clustered with Cobalt Strike servers that have a larger distribution of Chinese hosting providers and Chinese DNS records. Additionally, one of the advisory domains and at least 3 additional C2 servers have been publicly attributed to Black Basta activity in a report by “dfir-delight” in April 2024: https://dfir-delight.de/p/black-basta-iocs/

Example of Intel-Ops Cluster 3 Cobalt Strike C2 server:

Cluster 4

Intel-Ops has identified a number of Cobalt Strike beacons with the watermark: 1357776117. There is a relatively small cluster of IP addresses with this watermark: using Hunt.io, we can identify the number of IPs with this watermark over the past 30 days. Notably a number of the resolving domains match the naming convections of domains in the advisory:

Within this cluster, is another IP address publicly attributed to a recent Black Basta incident. Additionally, hosting was far more varied when analyzing Cobalt Strike beacons by watermark alone, with almost no patterns with other Black Basta clusters, such as DNS beacons for example.

Example Cobalt Strike C2 server in Intel-Ops Cluster 4:

Conclusion

There are additional clusters/correlations to be inferred from the Black Basta advisory. This analysis covers only the known indicators in the report. For more information and to enhance your protection against groups utilising Cobalt Strike:

Hunting Adversary Infrastructure Course

Using the techniques taught in our course — “Hunting Adversary Infrastructure”, security analysts of all levels can learn to further enrich reports such as these to cluster and attribute activity. All of these indicators are being actively tracked by Intel-Ops and will soon be available via our C2 Threat Feed.

To learn how do track frameworks such as Cobalt Strike and groups such as Black Basta, please consider enrolling in our course here: academy.intel-ops.io — students gain special Intel-Ops accounts for the Validin platform, which comes with additional query and API credits to help with learning.

C2 Feed

For information regarding our C2 feeds, please get in touch via LinkedIn, Twitter or Email (contact@intel-ops.io).

--

--