Cluster of Infrastructure likely used by affiliate of Dark Scorpius (Black Basta)

    Tuesday, January 21, 2025 In: Threat Research Print

    Date: 01/21/2025

    Severity: High

    Summary

    The infrastructure described is likely used by an affiliate of Dark Scorpius (associated with Black Basta ransomware). The attack began with email bombing to disrupt email systems, followed by social engineering via Microsoft Teams to install remote access tools. Attackers deploy malicious files, including a DLL that communicates with C2 servers, and in some cases, the attack leads to the deployment of Black Basta ransomware.

    Indicators of Compromise (IOC) List

    IP Address

    5.78.41.255

    5.181.159.48

    38.180.135.232

    38.180.138.15

    38.180.192.243

    45.8.157.146

    45.8.157.158

    45.8.157.162

    45.128.149.32

    89.185.80.86

    89.185.80.170

    89.185.80.251

    91.90.195.91

    178.236.247.173

    195.123.233.19

    195.123.233.148

    195.123.241.24

    195.211.96.135

    207.90.238.46

    207.90.238.67

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    dstipaddress IN ("5.78.41.255","5.181.159.48","38.180.135.232","38.180.138.15","38.180.192.243","45.8.157.146","45.8.157.158","45.8.157.162","45.128.149.32","89.185.80.86","89.185.80.170","89.185.80.251","91.90.195.91","178.236.247.173","195.123.233.19","195.123.233.148","195.123.241.24","195.211.96.135","207.90.238.46","207.90.238.67") or ipaddress IN ("5.78.41.255","5.181.159.48","38.180.135.232","38.180.138.15","38.180.192.243","45.8.157.146","45.8.157.158","45.8.157.162","45.128.149.32","89.185.80.86","89.185.80.170","89.185.80.251","91.90.195.91","178.236.247.173","195.123.233.19","195.123.233.148","195.123.241.24","195.211.96.135","207.90.238.46","207.90.238.67") or publicipaddress IN ("5.78.41.255","5.181.159.48","38.180.135.232","38.180.138.15","38.180.192.243","45.8.157.146","45.8.157.158","45.8.157.162","45.128.149.32","89.185.80.86","89.185.80.170","89.185.80.251","91.90.195.91","178.236.247.173","195.123.233.19","195.123.233.148","195.123.241.24","195.211.96.135","207.90.238.46","207.90.238.67") or srcipaddress IN ("5.78.41.255","5.181.159.48","38.180.135.232","38.180.138.15","38.180.192.243","45.8.157.146","45.8.157.158","45.8.157.162","45.128.149.32","89.185.80.86","89.185.80.170","89.185.80.251","91.90.195.91","178.236.247.173","195.123.233.19","195.123.233.148","195.123.241.24","195.211.96.135","207.90.238.46","207.90.238.67")

    Reference: 

    https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-01-17-IOCs-for-infrastructure-used-by-affiliate-of-Dark-Scorpius.txt 


    Tags

    MalwareRansomwareSocial Engineering

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.