Security researchers at Sentinel Labs have uncovered evidence that links the Black Basta ransomware gang to the financially motivated hacking group FIN7, also known as “Carbanak.” When analyzing tools used by the ransomware gang in attacks, the researchers found signs that a developer for FIN7 has also authored the EDR (Endpoint Detection and Response) evasion tools used exclusively by Black Basta since June 2022. Further evidence linking the two includes IP addresses and specific TTPs (tactics, techniques, and procedures) used by FIN7 in early 2022 and seen months later in actual Black Basta attacks. FIN7 is a Russian-speaking, financially motivated hacking group that has been active since at least 2015, deploying POS malware and launching targeted spear-phishing attacks against hundreds of firms.
In 2020, the group started exploring the ransomware space, and by October 2021, it was revealed that it had set up its own network intrusion operation. Starting from June 2022 and onwards, Black Basta was observed deploying a custom EDR evasion tool used exclusively by its members. By digging deeper into this tool, Sentinel Labs found an executable, “WindefCheck.exe,” that displays a fake Windows Security GUI and tray icon that gives users the illusion that Windows Defender is working normally. In the background, however, the malware disables Windows Defender, EDR, and antivirus tools, ensuring that nothing will jeopardize the data exfiltration and encryption process. The analysts retrieved more samples linked to that tool and found one packed with an unknown packer, which was identified as ‘SocksBot,’ a backdoor that FIN 7 has been developing since at least 2018. Furthermore, this backdoor connects to a C2 IP address belonging to “pq.hosting,” a bulletproof hosting provider FIN7 trusts and uses regularly. Additional evidence of a connection between FIN7 and Black Basta concerns FIN7’s early 2022 experimentation with Cobalt Strike and Meterpreter C2 frameworks in simulated malware-dropping attacks. While these technical similarities point to Fin7 members being part of the Black Basta operation, it is still unclear whether they are just devs for the group, operators, or affiliates using their own tools during attacks.