CTI Roundup: QR Code Phishing, Babuk Locker 2.0, and Qilin

In this week’s roundup, CTI points out the latest phishing tactics involving QR codes. Next up, CTI looks at the new Babuk Locker 2.0 ransomware. Finally, CTI wraps up with an overview of a recent supply chain attack targeting the downstream customers of an MSP.

1. QR code phishing accelerates as tactics evolve

Palo Alto is tracking new tactics that are being used in phishing documents containing QR codes.

Some of the new tactics include exploiting open redirects to hide the final phishing destination and including human verification within redirects to evade detection and convince victims to enter credentials.

Palo Alto has also observed cases where phishing sites target specific victims, indicating some level of reconnaissance prior to the attack.

What is QR code phishing?

QR code phishing, or quishing, involves creating malicious QR codes and luring victims to scan them with their mobile devices.

With QR code phishing, threat actors will attempt to exploit user-controlled devices with weak security controls. QR code phishing has proven to be highly effective, which is why it’s becoming increasingly common.

Phishing URL redirection

Palo Alto analyzed QR code URLs from recent campaigns and determined that they often use URL redirection, which involves exploiting the open redirects of legitimate websites. This differs from embedding links that point directly to the phishing site.

URL redirection is not a new tactic and is part of the reason users are often trained to look at the URL of a link before clicking on it. URL redirection, when combined with QR codes gets tricky, since you cannot simply hover over the QR code with your mouse to see the URL.

As Palo Alto explains, redirects enable legitimate websites to easily redirect users to external pages, while keeping the original source. Actors can also include additional text within the Google redirect URL so that the true phishing site is hidden when scanning the QR code with a phone.

Phishing operations

Palo Alto discovered that these phishing operations have three steps including redirection, human verification, and credential harvesting.

• Redirections guide victims to the true site. Some actors will use several redirects to make it harder to be identified.
• Human verification involves exploiting legitimate verification steps that many users will be familiar with, such as CAPTCHA and Cloudflare Turnstile. To use Cloudflare Turnstile in their attacks, all a threat actor must do is sign up for the free subscription of the service.
• Credential harvesting occurs via phishing pages that mimic login pages like Microsoft 365. Some of the pages display the company logo and will even pre-populate the email address of the victim, leaving them to enter only the password.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Phishing attacks and social engineering are constantly evolving, with Palo Alto’s report highlighting some of the most recent trends.

While the three main activities highlighted in the report have been observed individually over the past several months, Palo Alto is now seeing them used in combination, only increasing the potential success rate.

As is always the case with new phishing tactics, awareness and security solutions are needed in tandem.

2. LockBit 3.0 rebrands as Babuk Locker 2.0 ransomware

Rapid7 recently found a ransomware group channel claiming to be Babuk Loader, a group that shut down back in 2021.

Rapid7 discovered underground forums and channels that mentioned “Babuk Locker 2.0,” along with some actors taking credit for recent ransomware attacks. They ultimately determined that this was not a resurgence of the group, but rather LockBit 3.0 under a new name.

Operators

During their investigation, Rapid7 saw several discussions about a potential return of Babuk, most of which were linked to two different groups called “Skywave” and “Bjorka.”

These groups claimed responsibility for some ransomware attacks and even promoted Babuk leaks. Rapid7 believes these are either affiliates or key operators of Babuk 2.0.

Babuk Locker 2.0

Rapid7 identified dozens of Telegram channels that had names related to Babuk Locker 2.0. One of the previously mentioned groups, Skywave, claimed ownership of multiple channels, while the other, Bjorka, has had its Babuk-related content amplified.

Researchers noticed an overlap in the victims of Babuk and Bjorka and identified a possible collaboration between the actors after observing the Skywave and Bjorka logos next to each other in a contact page for Babuk 2.0.

Technical details

Rapid7 came across a supposed Babuk 2.0 sample on a Telegram channel. After analyzing the sample, they determined that this is not related to Babuk and instead is LockBit 3.0 or LockBit Black. This indicates that Babuk 2.0 is just a new name or a rebrand for LockBit 3.0.

Babuk or LockBit 3.0?

Rapid7 analyzed a “babuk.exe” file, which is advertised as Babuk 2.0. They confirmed that this sample is entirely based on LockBit 3.0 and is not related to previously leaked Babuk code.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Rapid7’s analysis indicates that Babuk Locker 2.0 is not actually from the Babuk group but instead is just LockBit 3.0 with a new name.

As Rapid7 notes, “ransomware groups don’t disappear—they just change names, recycle code, and keep cashing in.” This can make attribution more challenging, causing defenders to spin cycles on “new” ransomware that are just a rebranding effort or a way for an actor to garner some attention.

3. Qilin affiliates target the downstream customers of an MSP

According to a Sophos report, in January, an MSP administrator received a phishing email pretending to be an authentication alert for the ScreenConnect RMM tool. The email ultimately gave the Qilin ransomware threat group access to the administrator’s credentials and enabled the group to execute ransomware attacks against the MSP’s customers. The Qilin RaaS group has been around since 2022 and previously went by the name “Agenda.” This group is known to recruit its affiliates in Russian forums and uses a data leak site for double extortion.

About STAC4365

Sophos is attributing this latest incident to a ransomware affiliate tracked as STAC4365 due to overlapping infrastructure, naming patterns, and various TTPs used by the group in other attacks.

STAC4365 is a threat group that Sophos has associated with “a pattern of activities and indicators held in common by a group of phishing sites dating back to November 2022.” The sites used by this actor typically spoof legitimate ScreenConnect URLs. This actor is using an open-source AitM framework called “evilginx” to gather phishing credentials and session cookies.

STAC4365’s Qilin attack chain

The phishing email used in the attack was tailored to the MSP’s admin account to spoof a ScreenConnect login alert. When the administrator clicked on the link in the email to log in and review said alert, they were directed to a phishing page via redirects.

Sophos notes that the actor used the URL to only send the intended victim to the phishing site, sending all other visitors to the legitimate ScreenConnect site. At this point, the actor could intercept credentials and log in to their account.

After gaining access to the administrator’s ScreenConnect account, the actor pushed an attacker-managed instance of ScreenConnect to several of the MSP’s customers. According to Sophos, this instance was used for enumeration, user discovery, the resetting of account credentials, and to gain access to other tools. After having sufficient access, the actor gathered and exfiltrated files from the customer environments, uploading the files to an “easyupload[.]io” site in an incognito tab.

Sophos also reveals several of the actor’s techniques, including identifying and targeting backups to prevent restoration, deploying Qilin ransomware to several of the MSP’s customers, disabling Volume Shadow Copy Service (VSS), deleting shadow copies and Windows event logs, deleting itself after execution, and others.

Analyst comments from Tanium’s Cyber Threat Intelligence team

This particular attack targeted an MSP’s customers, making it a supply chain style attack—something that is becoming more and more common.

What’s interesting is how the actor was able to exfiltrate data via an incognito tab in Chrome. This is uncommon and gives defenders yet another avenue of exfiltration to monitor.

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.