Recent investigations have unveiled significant connections between the Black Basta and Cactus ransomware groups. Both factions have been found employing similar social engineering techniques and utilizing the BackConnect proxy malware to maintain access to compromised corporate networks.

In January, cybersecurity firm Zscaler identified a Zloader malware variant featuring a novel DNS tunneling capability. Subsequent analysis by Walmart revealed that Zloader was deploying a new proxy malware named BackConnect, which included code references to the notorious Qbot (QakBot) malware.

BackConnect's Role in Cyberattacks

BackConnect functions as a proxy tool, enabling cybercriminals to remotely access compromised servers. This malware facilitates traffic tunneling, activity obfuscation, and attack escalation within a victim's network, all while evading detection.

  • Key Point 1: BackConnect is linked to the Black Basta ransomware operation, with its members using the malware to infiltrate and propagate within corporate environments.
  • Key Point 2: A recent Black Basta data leak exposed internal communications, suggesting collaboration with Qbot developers.

Black Basta's Evolution and Cactus Connections

Black Basta, a ransomware group that emerged in April 2022, is believed to include former members of the Conti Ransomware gang. Following a law enforcement crackdown on Qbot in 2023, Black Basta sought alternative methods for network breaches, leading to their adoption of BackConnect.

Trend Micro's latest report indicates that the Cactus ransomware group is also employing BackConnect, hinting at possible member overlap between the two gangs. Both groups have been observed using similar social engineering tactics, such as overwhelming targets with emails and impersonating IT personnel via Microsoft Teams to gain remote access.

Shared Tactics and Tools

Although the attack strategies of Black Basta and Cactus are not identical, they share numerous similarities. Trend Micro discovered that Cactus attackers used command and control servers typically associated with Black Basta.

  • Cactus ransomware, which surfaced in early 2023, mirrors Black Basta's methods, including the use of a PowerShell script known as TotalExec.
  • Black Basta's encryption routine, initially unique to Cactus, further underscores the connection between the two groups.
The link has been copied!