Black Basta and Cactus Ransomware Groups Add BackConnect Malware to Their Arsenal

SUMMARY :

The Black Basta and Cactus ransomware groups have incorporated BackConnect malware into their attack strategies to maintain persistent control over compromised systems. The attackers use social engineering tactics, including email flooding and impersonation of IT support, to gain initial access. They exploit Microsoft Teams and Quick Assist for unauthorized access and privilege escalation. The malware is deployed through abuse of OneDriveStandaloneUpdater.exe, which side-loads malicious DLLs. The attackers utilize commercial cloud storage services to host and distribute malicious files. Since October 2024, most incidents occurred in North America and Europe, with the US being the most affected. The manufacturing sector was the primary target, followed by financial and real estate industries.

OPENCTI LABELS :

social engineering,ransomware,lateral movement,darkgate,systembc,black basta,privilege escalation,cactus,backconnect,cloud storage abuse,onedrive exploitation


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Black Basta and Cactus Ransomware Groups Add BackConnect Malware to Their Arsenal