Cybersecurity researchers have disclosed details of a new BackConnect (BC) malware that has been developed by threat actors linked to the infamous QakBot loader.
“BackConnect is a common feature or module utilized by threat actors to maintain persistence and perform tasks,” Walmart’s Cyber Intelligence team told The Hacker News. “The BackConnect(s) in use were ‘DarkVNC’ alongside the IcedID BackConnect (KeyHole).”
The company noted that the BC module was found on the same infrastructure that was observed distributing another malware loader called ZLoader, which was recently updated to incorporate a Domain Name System (DNS) tunnel for command-and-control (C2) communications.
QakBot, also called QBot and Pinkslipbot, suffered a major operational setback in 2023 after its infrastructure was seized as part of a coordinated law enforcement effort named Duck Hunt. Since then, sporadic campaigns have been uncovered propagating the malware.
Originally conceived as a banking trojan, it was later adapted into a loader capable of delivering next-stage payloads onto a target system such as ransomware. A notable feature of the QakBot, alongside IcedID, is its BC module that offers the threat actors the ability to use the host as a proxy, as well as offer a remote-access channel by means of an embedded VNC component.
Walmart’s analysis has revealed that the BC module, besides containing references to old QakBot samples, has been further enhanced and developed to gather system information, more or less acting as an autonomous program to facilitate follow-on exploitation.
“In this case the malware we talk about is a standalone backdoor utilizing BackConnect as a medium to allow a threat actor to have hands on keyboard access,” Walmart said. “This distinction is further pronounced by the fact that this backdoor collects system information.”
The BC malware has also been the subject of an independent analysis by Sophos, which attributed the artifacts to a threat cluster it tracks as STAC5777, which, in turn, overlaps with Storm-1811, a cybercriminal group known for abusing Quick Assist for Black Basta ransomware deployment by posing as tech support personnel.
The British cybersecurity company noted that both STAC5777 and STAC5143 – a threat group with possible ties to FIN7 – have resorted to email bombing and Microsoft Teams vishing to prospective targets and trick them into granting the attackers remote access to their computers via Quick Assist or Teams’s built-in screen sharing to install Python backdoors and Black Basta ransomware.
“Both threat actors operated their own Microsoft Office 365 service tenants as part of their attacks and took advantage of a default Microsoft Teams configuration that permits users on external domains to initiate chats or meetings with internal users,” Sophos said.
With Black Basta operators having previously relied on QakBot for deploying the ransomware, the emergence of a new BC module, coupled with the fact that Black Basta has also distributed ZLoader in recent months, paints a picture of a highly interconnected cybercrime ecosystem where the developers behind QakBot are likely supporting the Black Basta team with new tools, Walmart said.
