QakBot Returns: New BackConnect Malware Unleashes Advanced Stealth and Surveillance Powers

QakBot Returns: New BackConnect Malware Unleashes Advanced Stealth and Surveillance Powers

New QakBot-Linked BackConnect Malware Discovered

Security researchers have uncovered a new BackConnect (BC) malware variant connected to the QakBot loader operation. The discovery, made by Walmart’s Cyber Intelligence team, reveals that the malware incorporates DarkVNC and IcedID BackConnect (KeyHole) modules.

The malware was detected on infrastructure previously associated with ZLoader, another malware loader recently updated with DNS tunneling capabilities for C2 communications. This development follows QakBot’s disruption in 2023 during Operation Duck Hunt, though the threat actors have maintained sporadic activity since then.

Key Features and Capabilities:
– Functions as a standalone backdoor
– Enables proxy usage of infected hosts
– Includes remote access through VNC
– Collects detailed system information
– Facilitates follow-on exploitation

The BC malware has been linked to threat group STAC5777, which overlaps with Storm-1811, known for Black Basta ransomware deployment. These groups employ sophisticated social engineering tactics, including:
– Email bombing
– Microsoft Teams vishing
– Abuse of Quick Assist
– Exploitation of Microsoft Office 365 tenants

Analysis suggests strong connections between QakBot developers and Black Basta operators, indicating a complex cybercrime ecosystem. The discovery of this new BC module, combined with Black Basta’s recent use of ZLoader, demonstrates the ongoing evolution and collaboration within cybercriminal networks.

Share This Article