Threat actors deploying the Black Busta and Cactus ransomware families have been found to rely on the same Back Connect (BC) module for sustained control of infected hosts.
“Once you sneak in, you’ll be able to grant attackers a wide range of remote control capabilities and run commands on infected machines,” Trend Micro said in an analysis Monday. “This allows you to steal sensitive data, such as login credentials, financial information, and personal files.”
It is worth noting that details of the BC modules that cybersecurity companies are tracking as QBACKConnect in duplicate with the Qakbot loader were first documented in late January 2025 by both the Walmart Cyber Intelligence Team and Sophos.
For the past year, Black Basta Attack Chains have increasingly utilized email bombing tactics to trick future targets and set up rapid assists after being contacted by threat actors under the guise of IT support or help desk personnel.
This access then acts as a conduit for sideloading a reedbed named the malicious dll loader (“winhttp.dll”) using Onedrivestandaloneupdater.exe, a legitimate executable responsible for updating Microsoft OneDrive. The loader will ultimately decrypt and execute the BC module.
Trend Micro observed a cactus ransomware attack that deployed BackConnect using the same mode of surgery, but also noted that it would perform various post-extraction actions, such as lateral movement and data exfoliation. However, efforts to encrypt the victim’s network have failed.
The convergence of tactics envisions special importance in light of recent Black Busta Chat Log Leaks, which bare the inner workings and organizational structure of electronic crime gangs.
Specifically, it has been revealed that financially motivated crew members share valid credentials. Some of the other prominent initial access points are Remote Desktop Protocol (RDP) portals and VPN endpoints.
“Threat actors use these tactics, techniques, and procedures (TTP) — viscing, rapid assist as a remote tool, backconnect — deploying black bustarransomware,” Trend Micro said.
“Specifically, there is evidence to suggest that members have moved from the Black Bastor Ransomware Group to the Cactus Ransomware Group. This conclusion is drawn from an analysis of similar tactics, techniques, and procedures (TTP) exploited by the Cactus Group.”
Source link
