Black Basta and Cactus attackers gang up on Teams users with new techniques

Hacker organizations are working together for a common goal

News

Reading time icon 2 min. read

Calendar icon Published on

by Claudiu Andone 

published on

Share this article

Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more

Black Basta and Cactus ransomware are attacking Teams users

You certainly remember the Black Basta hacker group exploits. Well, according to a new Zscaler security experts report recorded by Bleeping Computer, they discovered links between the Black Basta and Cactus ransomware gangs, with both groups employing similar social engineering tactics and utilizing the BackConnect proxy malware for post-exploitation access to corporate networks.

In January, Zscaler discovered a Zloader malware sample containing a new DNS tunneling feature. Further investigation by Walmart indicated that Zloader was deploying a new proxy malware called BackConnect, which contained code references to the Qbot (QakBot) malware. BackConnect acts as a proxy tool for remote access to compromised servers, allowing cybercriminals to tunnel traffic, obfuscate their activities, and escalate attacks within a victim’s environment without detection1.

Both Zloader, Qbot, and BackConnect are believed to be linked to the Black Basta ransomware operation, with members utilizing the malware to breach and spread through corporate networks. These ties were further strengthened by a recent Black Basta data leak that exposed internal conversations, including those between the ransomware gang’s manager and an individual believed to be the developer of Qbot1.

In a new report by Trend Micro, researchers found that the Cactus ransomware group is also utilizing BackConnect in attacks, indicating a potential overlap in members between both groups. In the Black Basta and Cactus attacks observed by Trend Micro, threat actors employed the same social engineering tactic of bombarding targets with an overwhelming number of emails. The attackers then contacted the targets through Microsoft Teams, posing as IT help desk employees, and tricked victims into providing remote access via Windows Quick Assist.

Right now, no one knows whether Cactur ransomware is a distinct group or just a branch of Black Basta. Coincidently or not, we also recently reported about a massive botnet attack on Microsoft 365 attacks. We’re going through hard times when cybersecurity is of high-level importance for any organization.

More about the topics: Cybersecurity, Microsoft Teams

Claudiu Andone

Claudiu Andone Shield

Windows Toubleshooting Expert

Oldtimer in the tech and science press, Claudiu is focused on whatever comes new from Microsoft. His abrupt interest in computers started when he saw the first Home Computer as a kid. However, his passion for Windows and everything related became obvious when he became a sys admin in a computer science high school. With 14 years of experience in writing about everything there is to know about science and technology, Claudiu also likes rock music, chilling in the garden, and Star Wars. May the force be with you, always!

User forum

0 messages