On January 23, 2025, cybersecurity researchers revealed details about a new BackConnect (BC) malware associated with threat actors linked to the QakBot loader. Walmart’s Cyber Intelligence team explained that BackConnect is commonly used by threat actors for persistence and tasks, with modules like ‘DarkVNC’ and IcedID BackConnect (KeyHole) being utilized.
The BC module was discovered on the same infrastructure distributing the ZLoader malware, which recently incorporated a Domain Name System (DNS) tunnel for command-and-control (C2) communications. QakBot, also known as QBot and Pinkslipbot, faced operational setbacks in 2023 after a law enforcement operation named Duck Hunt seized its infrastructure. Since then, sporadic campaigns spreading the malware have been identified.
Originally designed as a banking trojan, QakBot evolved into a loader capable of delivering ransomware onto target systems. The BC module, along with IcedID, provides threat actors with proxy capabilities and a remote-access channel through an embedded VNC component. Walmart’s analysis revealed that the BC module collects system information and acts as a standalone backdoor for follow-on exploitation.
Sophos conducted an independent analysis attributing the BC malware to a threat cluster known as STAC5777, which overlaps with the cybercriminal group Storm-1811. These threat groups have been using tactics like email bombing and Microsoft Teams vishing to gain remote access to target computers and deploy ransomware. The interconnected cybercrime ecosystem suggests that developers behind QakBot are likely supporting the Black Basta team with new tools.
With the emergence of the new BC module and the distribution of ZLoader by Black Basta, it is evident that a highly interconnected cybercrime ecosystem exists. This ecosystem highlights the collaboration between threat actors and the evolution of malware tools to facilitate cyberattacks. Follow us on Twitter and LinkedIn for more exclusive content on cybersecurity.
Source link