Findings also suggest the likely increased utilisation of Python scripts in subsequent Teams phishing campaigns.
Threat actors previously associated with the Black Basta ransomware gang have continued leveraging Microsoft Teams phishing alongside Python script execution in new intrusions.
According to The Hacker News, finance, insurance, and construction organisations have been subjected to Teams phishing attacks by former Black Basta members, with almost half of the incidents between February and May discovered to have been from onmicrosoft[.]com domains, according to an analysis from ReliaQuest.
Initial access facilitated by Teams phishing was followed by the utilisation of AnyDesk and QuickAssist remote desktop software for the eventual delivery of a malicious Python script for command-and-control communications. Aside from the potential migration of ex-Black Basta members to the CACTUS ransomware-as-a-service group, such findings also suggest the likely increased utilisation of Python scripts in subsequent Teams phishing campaigns, said ReliaQuest researchers.
This also indicates the ongoing regrouping of the ransomware operation following a steep decline stemming from its
internal chat log leak earlier this year.
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
