Cybercriminals associated with Black Basta and Cactus ransomware have been observed exploiting social engineering tactics, legitimate remote access tools, and cloud-based infrastructure to gain initial access and establish persistent control over enterprise networks. These attacks are facilitated by BackConnect malware, a tool that enables attackers to remotely manipulate compromised systems.
Attack Methodology
Initial Access: Social Engineering& Remote Access Abuse
· Email Flooding & Reconnaissance: Attackers first flood targets with phishing emails, some containing malicious links or attachments, while others are mere distractions.
· Impersonation via Microsoft Teams: Attackers pose as IT support personnel and reach out to employees under the guise of troubleshooting an urgent issue.
· Gaining Remote Access: Targets are tricked into launching Quick Assist or other remote access tools like Any Desk or TeamViewer.
Execution & Persistence: Weaponizing OneDrive Updater
· Payload Deployment: Attackers drop malicious DLLs and executables into the victim’s Microsoft OneDrive directory.
· They exploit OneDriveStandaloneUpdater.exe to sideload these malicious DLLs.
· WinSCP for File Transfers: Attackers leverage WinSCP to exfiltrate data and move additional payloads within the compromised environment.
· Registry Modifications & Scheduled Tasks: Persistence is achieved by modifying the Windows Registry and creating scheduled tasks that execute the malicious payloads at system startup.
Command & Control (C2) and Lateral Movement
· Establishing Remote Access via BackConnect Malware: BackConnect malware allows attackers to maintain persistent access, enabling interactive sessions whenever needed.
· Spreading Across the Network: Attackers leverage Windows Remote Management (WinRM) and Server Message Block(SMB) to move laterally.
· Compromised machines communicate with known C2 IP addresses linked to Black Basta.
Privilege Escalation & Credential Dumping:
· Attackers attempt to escalate privileges using tools like Mimikatz to dump credentials and gain domain-wide access.
Data Exfiltration & Ransomware Deployment
· Exfiltration via Cloud Services & Encrypted Tunnels: Stolen data is exfiltrated to attacker-controlled cloud storage services or TOR-based destinations.
· Ransomware Deployment: Once valuable data is exfiltrated, ransomware is deployed to encrypt files, locking victims out of their systems.
· A ransom note is dropped, demanding payment in cryptocurrency.
Affected Industries
· Manufacturing, Real Estate, Construction, and Financial Services are key targets.
Mitigation & Recommendations
- Enhance Employee Awareness:
- Conduct security awareness training to recognize phishing and social engineering attacks.
- Warn employees about impersonation tactics using Microsoft Teams and Quick Assist.
- Restrict Remote Access Tools:
- Limit the use of remote support software such as Quick Assist.
- Implement strong authentication for IT support interactions.
- Monitor OneDrive and Cloud Storage Usage:
- Restrict unauthorized file downloads and executions from cloud storage services.
- Use endpoint detection solutions to identify and block suspicious DLL side-loading activities.
- Network Segmentation & Access Control:
- Implement strict access controls and segmentation to limit lateral movement.
- Disable unnecessary SMB and WinRM services.
- Monitor & Block Malicious C2 Communications:
- Implement network monitoring tools to detect outbound traffic to known C2 IPs.
- Block identified malicious domains and IPs in firewall and proxy configurations.
You can access our Github repo for Indicators of Compromise
.png)
.png)