Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,195
- Points
- 113
SILENTNIGHT, BASTA, and KNOTROCK — what else will cyberbandits surprise researchers with?
In mid-2022, Mandiant specialists discovered several intrusions related to QAKBOT, which led to the deployment of BEACON and other C2 beacons. This was the first identification of the UNC4393 group, the main user of the BASTA ransomware.
During the observation period, Mandiant recorded more than 40 UNC4393 intrusions in 20 different industries. While medical organizations have not previously been the main target of the group's attacks, several incidents this year indicate a possible expansion of their interests.
UNC4393 is a financially motivated threat cluster that has been actively using BASTA ransomware since mid-2022. The group usually gains initial access through the QAKBOT botnet, which is distributed through phishing emails with malicious links or attachments.
BASTA operators prefer a closed affiliate model, providing access only to verified third parties, which distinguishes them from traditional ransomware as a service (RaaS) models.
Thanks to its high operational speed, the UNC4393 can conduct intelligence, exfiltrate data, and complete its objectives in an average of 42 hours. Despite this, Mandiant identifies two main BASTA-related clusters: UNC4393 and UNC3973. UNC4393 covers most BASTA-related activities, while UNC3973 demonstrates unique tactics and techniques that require separate tracking.
In total, UNC4393's arsenal includes many malicious programs, including, for example:
Previously, UNC4393 almost always used the QAKBOT botnet for initial access. However, after its liquidation in 2023, the group switched to other methods, including phishing and malvertising. SILENTNIGHT, the main malware for these attacks, allows you to perform various functions, such as monitoring the system and capturing screenshots.
After gaining access, UNC4393 uses a combination of legitimate tools and native malware. DNS BEACON is often used to maintain access and perform operations. Starting in 2024, the group uses a multi-stage chain of infections, including DAWNCRY and PORTYARD.
UNC4393 uses tools such as BLOODHOUND, ADFIND, and PSNMAP for exploration. It also uses its own COGSCAN tool to collect network and system information. The UNC4393 uses SMB BEACON and the Remote Desktop Protocol (RDP) to navigate the network and maintain access. Remote execution capabilities via WMI are often used, which allows you to quickly distribute ransomware.
UNC4393's goal is to quickly collect and exfiltrate data so that it can be used for multi-level blackmail. Basically, the RCLONE program is used for data theft. Previously, the group manually deployed the cryptographer, but from the end of 2023, it started using the KNOTROCK utility, which significantly accelerated the process.
UNC4393 continues to evolve and poses a significant threat. Switching from using ready-made tools to developing its own malware and collaborating with other groups allows it to optimize its operations.
Effective protection against such threats requires proactive and comprehensive security measures, including regular software updates, training employees in cybersecurity techniques, and using advanced technologies to detect and prevent attacks.
Source
In mid-2022, Mandiant specialists discovered several intrusions related to QAKBOT, which led to the deployment of BEACON and other C2 beacons. This was the first identification of the UNC4393 group, the main user of the BASTA ransomware.
During the observation period, Mandiant recorded more than 40 UNC4393 intrusions in 20 different industries. While medical organizations have not previously been the main target of the group's attacks, several incidents this year indicate a possible expansion of their interests.
UNC4393 is a financially motivated threat cluster that has been actively using BASTA ransomware since mid-2022. The group usually gains initial access through the QAKBOT botnet, which is distributed through phishing emails with malicious links or attachments.
BASTA operators prefer a closed affiliate model, providing access only to verified third parties, which distinguishes them from traditional ransomware as a service (RaaS) models.
Thanks to its high operational speed, the UNC4393 can conduct intelligence, exfiltrate data, and complete its objectives in an average of 42 hours. Despite this, Mandiant identifies two main BASTA-related clusters: UNC4393 and UNC3973. UNC4393 covers most BASTA-related activities, while UNC3973 demonstrates unique tactics and techniques that require separate tracking.
In total, UNC4393's arsenal includes many malicious programs, including, for example:
- BASTA: ransomware that encrypts local files and uses random keys for each file.
- SYSTEMBC: A tunnel that hides network traffic associated with other malicious programs.
- KNOTWRAP: A dropper that performs additional loads in memory.
- KNOTROCK: a utility based on .NET, which creates symbolic links and runs BASTA.
- DAWNCRY: A dropper that decrypts and executes embedded resources.
- PORTYARD: A tunnel that establishes a connection to the C2 server.
- COGSCAN: a system and network data collector.
Previously, UNC4393 almost always used the QAKBOT botnet for initial access. However, after its liquidation in 2023, the group switched to other methods, including phishing and malvertising. SILENTNIGHT, the main malware for these attacks, allows you to perform various functions, such as monitoring the system and capturing screenshots.
After gaining access, UNC4393 uses a combination of legitimate tools and native malware. DNS BEACON is often used to maintain access and perform operations. Starting in 2024, the group uses a multi-stage chain of infections, including DAWNCRY and PORTYARD.
UNC4393 uses tools such as BLOODHOUND, ADFIND, and PSNMAP for exploration. It also uses its own COGSCAN tool to collect network and system information. The UNC4393 uses SMB BEACON and the Remote Desktop Protocol (RDP) to navigate the network and maintain access. Remote execution capabilities via WMI are often used, which allows you to quickly distribute ransomware.
UNC4393's goal is to quickly collect and exfiltrate data so that it can be used for multi-level blackmail. Basically, the RCLONE program is used for data theft. Previously, the group manually deployed the cryptographer, but from the end of 2023, it started using the KNOTROCK utility, which significantly accelerated the process.
UNC4393 continues to evolve and poses a significant threat. Switching from using ready-made tools to developing its own malware and collaborating with other groups allows it to optimize its operations.
Effective protection against such threats requires proactive and comprehensive security measures, including regular software updates, training employees in cybersecurity techniques, and using advanced technologies to detect and prevent attacks.
Source
