Cyber security researchers have opened details of a new BackConnect (BC) malware developed by threat actors associated with the infamous QakBot bootloader.
“BackConnect is a common feature or module used by threat actors to maintain persistence and accomplish tasks,” Walmart’s Cyber Intelligence team told The Hacker News. “BackConnect used were “DarkVNC” next to IcedID BackConnect (Keyhole).”
The company noted that the BC module was found in the same infrastructure distributed by another malware loader called ZLoader, which was recently updated to enable a Domain Name System (DNS) tunnel for command and control (C2) communication.
QakBot, also called QBot and Pinkslipbot, has been hit hard operational failure in 2023 after its infrastructure was hijacked in a coordinated law enforcement operation called Duck Hunt. Since then there have been sporadic campaigns uncovered spreading malware.
Originally conceived as a banking Trojan, it was later adapted into a bootloader capable of delivering next-stage payloads to a target system, such as ransomware. A notable feature of QakBot, along with IcedID, is its BC module which offers threat actors the ability to use the host as a proxy and also offers a remote access channel using the built-in VNC component.
Walmart’s analysis revealed that the BC module, in addition to containing references to older QakBot samples, was further enhanced and designed to collect system information, more or less acting as a standalone program to facilitate subsequent exploitation.
“In this case, the malware we’re talking about is a standalone backdoor that uses BackConnect as a medium to allow the threat actor to gain access to the keyboard,” Walmart said. “This distinction is further emphasized by the fact that this backdoor collects system information.”
The BC malware was also the subject of independent analysis by Sophos, which attributed the artifacts to a threat cluster it tracks as STAC5777, which in turn overlaps with Storm of 1811a cybercriminal group known for abusing Quick Assist to deploy Black Basta ransomware by impersonating tech support staff.
The British cyber security company noted that both STAC5777 and STAC5143 are threat groups that may be linked to FIN7 – they ran email bombardment and Microsoft Teams target potential targets and trick attackers into giving remote access to their computers via Quick Assist or Teams’ built-in screen sharing to install Python backdoors and Black Basta ransomware.
“Both threat actors managed their own Microsoft Office 365 service tenants as part of their attacks and took advantage of the default Microsoft Teams configuration that allows users from external domains to initiate chats or meetings with internal users,” Sophos said. said.
With Black Basta operators used to rely on on QakBot to deploy ransomware, the emergence of a new BC module coupled with the fact that Black Basta also distributed In recent months, ZLoader paints a picture of a tightly interconnected cybercrime ecosystem, where the developers of QakBot are likely supporting the Black Basta team with new tools, according to Walmart.
