An emerging ransomware-as-a-service group that has wrought havoc across industry and critical infrastructure sectors over the past year likely shares tooling and perhaps personnel with the notorious FIN7 hacking group.

In new research released Thursday, SentinelOne details a number of previously unknown tactics, techniques and procedures tied to the Black Basta ransomware-as-a-service operation. The group has seemingly been operating for less than a year but they’ve been tied to dozens of high-profile ransomware incidents, with firms like Palo Alto Networks saying their modus operandi involves targeting large enterprise organizations in the energy, agriculture, manufacturing, utilities and government sectors.

Strangely, while they bill themselves as a ransomware-as-a-service operation, there’s little evidence that Black Basta puts much effort into recruiting affiliates or advertising on dark net forums. While this is not unheard of, technical insights into some of the unique toolsets they bring to bear indicates that they could be part of or associated with a much larger hacking operation.

Among the findings by SentinelOne was a tool that Black Basta operators use to evade endpoint detection and response systems. First identified June 3, the malware appears to be exclusively used by the group, and the same developer also created a custom tool for manipulating the graphic user interface of Windows Defender to prevent victims from knowing it had been disabled by attackers.

The fake Windows Security GUI ‘WindefCheck.exe’ (source: SentinelOne)

One sample was packed with a backdoor — called BIRDDOG — that has been used in multiple past FIN7 operations and that beacons to a command-and-control server using the same bulletproof hosting services that FIN7 deploys. Code samples found on public malware repositories using the same packer pre-dated the creation of BIRDDOG by two months and revealed a Cobalt Strike DNS beacon. After further analysis, the researchers concluded that the packer used to compress BIRDDOG is an updated version.

“We assess it is likely the threat actor developing the impairment tool used by Black Basta is the same actor with access to the packer source code used in FIN7 operations, thus establishing for the first time a possible connection between the two groups,” write SentinelOne researchers Antonio Cocomazzi and Antonio Pirozzi.

The hacking collective known as FIN7 is one of the most prolific and innovative financially motivated cybercrime groups in the world, with one cybersecurity firm estimating their credit card fraud schemes alone have netted more than $1 billion. Since 2020, the group has been steadily shifting from leveraging point-of-sale malware against the financial sector to broader ransomware operations to fill its coffers. The group has previously been connected by threat intelligence firms like Mandiant to the operations of DarkSide (the group U.S. officials blamed for the Colonial Pipeline attack in 2021) and the rebranded DarkMatter.

“At this point, it’s likely that FIN7 or an affiliate began writing tools from scratch in order to disassociate their new operations from the old. Based on our analysis, we believe that the custom impairment tool described above is one such tool,” write Cocomazzi and Pirozzi.