Analysis Summary

Cybersecurity researchers have unveiled a new BackConnect (BC) malware developed by threat actors associated with the infamous QakBot loader. BackConnect is a modular tool used by cybercriminals for maintaining persistence and performing various malicious tasks, including remote access and proxying.

According to the researcher, two BC modules in use, DarkVNC and IcedID BackConnect (KeyHole), were linked to the same infrastructure responsible for distributing ZLoader malware. ZLoader has also been updated to use DNS tunneling for command-and-control (C2) communications, emphasizing the evolving sophistication of these threats.

The QakBot loader, initially designed as a banking trojan, has evolved into a versatile tool for deploying ransomware and other malware. Despite a major operational disruption in 2023 during the "Duck Hunt" law enforcement operation, sporadic QakBot campaigns persist. A standout feature of QakBot, alongside IcedID, is its BC module, which facilitates host proxying and provides remote access via an embedded VNC component. The researcher's analysis highlights that the BC malware not only includes references to older QakBot samples but also boasts enhanced functionalities, such as autonomous system information collection, further enabling threat actors to exploit compromised systems.

Sophos independently analyzed the BC malware and attributed it to threat cluster STAC5777, which overlaps with Storm-1811, a group known for deploying Black Basta ransomware using Quick Assist and tech support scams. Another related group, STAC5143, potentially tied to FIN7, has been observed employing email bombing and vishing through Microsoft Teams to trick targets into granting remote access. These attacks exploit the default configuration of Microsoft Teams, which allows external users to initiate chats and meetings. Both groups have used Python backdoors and ransomware like Black Basta, showcasing their reliance on advanced social engineering tactics.

The interconnected nature of these operations indicates a robust cybercrime ecosystem. Researchers suggest that QakBot developers are supporting Black Basta operators with new tools, including the BC module. This collaboration aligns with Black Basta’s history of using QakBot for ransomware deployment and their recent distribution of ZLoader. The BC module’s emergence underscores the increasing sophistication and adaptability of cybercriminal groups, with modular malware like BackConnect playing a central role in advancing their malicious campaigns.

Impact

• Information Theft
• Privilege Escalation
• Unauthorized Access
• Financial Loss

Indicators of Compromise

SHA1

• f09804b59a3aac7c1dd47c7e027182fb54f9a277

• 7eb964f0f14c915d0112a2211c4c1ac8eeccba99

• f4311944e910008c9b6f5adc8aee20dadd48634c

• b78f573f5ae8684cc5a5b12f2827c0cee2a309d7

• 24aa8782c7ffee3b2acc50ed8d3fcf0f4677cf2e

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Emails from unknown senders should always be treated with caution. Never trust or open links and attachments received from unknown sources/senders.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Patch and upgrade any platforms and software in a timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
• Restrict the use of remote desktop services like Quick Assist and VNC to authorized users only. Disable unused services and enforce multi-factor authentication (MFA) for all remote access tools to prevent unauthorized entry.
• Develop and regularly test a comprehensive incident response plan to minimize downtime and damage in the event of a malware attack. Include specific steps for isolating infected systems, analyzing malware, and restoring operations securely.