June 27, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Google Issues March 2025 Android Security Patch for Actively Exploited Flaws
March 4, 2025
Broadcom Fixes Three Actively Exploited VMware Zero-Day Vulnerabilities
March 4, 2025
Google Issues March 2025 Android Security Patch for Actively Exploited Flaws
March 4, 2025
Broadcom Fixes Three Actively Exploited VMware Zero-Day Vulnerabilities
March 4, 2025
Severity
High
Analysis Summary
Recent ransomware campaigns by Black Basta and Cactus groups have exploited Microsoft Teams and Quick Assist to hijack corporate networks, amassing over $107 million in Bitcoin ransoms since October 2024. Attackers use email flooding and social engineering tactics, impersonating IT support via Microsoft Teams with spoofed accounts to trick victims into granting remote access through Quick Assist. Once inside, they download malicious .bpx files from compromised cloud storage, assembling them into an archive that extracts harmful DLLs and executables into OneDrive. This technique abuses OneDriveStandaloneUpdater.exe for DLL sideloading, ultimately deploying BackConnect malware for persistent access.
BackConnect establishes command-and-control (C2) through registry-logged IPs linked to Black Basta. It enables remote code execution, credential theft, and lateral movement using SMB and WinRM. The Cactus ransomware group, composed of ex-Black Basta members, follows similar TTPs, but expands its attacks to VMware ESXi hypervisors. By deploying SystemBC malware (socks.out), they disable ESXi security, facilitating unrestricted ransomware execution. Firewall logs also reveal WinSCP file transfers to newly registered domains, indicating ongoing infrastructure development for future attacks.
Researcher, advises organizations to restrict Quick Assist access, enforce multi-factor authentication for IT support,
and apply strict monitoring of Teams activities to detect social engineering attempts. Blocking malicious C2 IPs and hunting for DLL sideloading using security queries can help mitigate these threats. Detecting eventSubId: 603 alongside suspicious S3 storage activity may indicate malicious file downloads. These defensive measures can help organizations counteract ransomware deployment through living-off-the-land tactics.
As Black Basta potentially dissolves following data leaks, Cactus is growing in sophistication, requiring organizations to prioritize Zero Trust security models and behavior-driven employee training. The reliance on legitimate cloud tools and remote support services highlights the need for continuous threat intelligence monitoring, proactive defenses, and rapid incident response to counter the evolving ransomware landscape.
Impact
- Gain Remote Access
Remediation
- Disable unauthorized remote access tools.
- Enforce multi-factor authentication (MFA) for IT support requests.
- Apply Microsoft’s security best practices.
- Treat Team messages with the same scrutiny as phishing emails.
- Blacklist known C2 IPs such as 45.8.157[.]199 and 5.181.3[.]164.
- Monitor for connections to suspicious domains like pumpkinrab[.]com.
- Use security queries like eventSubId: 603 AND (request:filters*.s3.us-east-*) to identify malicious file downloads.
- Audit OneDriveStandaloneUpdater.exe activity to detect unauthorized sideloading attempts.
- Train staff to recognize social engineering tactics.
- Promote a Zero Trust security model to prevent unauthorized access.