A surge in ransomware attacks leveraging Microsoft Teams and Quick Assist to hijack corporate networks has concerned cybersecurity experts, with threat actors netting over $107 million in Bitcoin ransoms since October 2024.
Trend Micro’s Managed XDR and Incident Response teams recently uncovered coordinated campaigns by Black Basta and Cactus ransomware groups using a shared BackConnect malware variant (detected as QBACKCONNECT) to establish persistent access.
These attacks demonstrate a potentially harmful combination of social engineering, legitimate tool abuse, and cloud infrastructure exploitation.
.png
)
The attack chain begins with email flooding to overwhelm victims’ inboxes, followed by impersonation attempts via Microsoft Teams.
Threat actors pose as IT support using spoofed accounts like admin_52351@brautomacao565[.]onmicrosoft[.]com.
Victims are forced into granting remote access through Microsoft’s built-in Quick Assist tool, which enables full device control.
Microsoft has previously warned of such tactics, attributing them to Black Basta affiliates since late 2023.
Once access is granted, attackers download malicious .bpx files from compromised cloud storage buckets. In one case, files kb052117-01.bpx and kb052123-02.bpx were concatenated into pack.zip.
This archive, when extracted via tar.exe, deploys malicious DLLs and executables into the OneDrive directory.
OneDrive Sideloading and BackConnect Malware
The attackers abuse OneDriveStandaloneUpdater.exe, a legitimate Microsoft binary, to sideload a malicious DLL (winhttp.dll).
This DLL decrypts payloads from settingsbackup.dat, deploying the BackConnect malware.
Persistent command-and-control (C2) is established through IPs like 38.180.25[.]3, logged in the registry key.
Trend Micro attributes these IPs to Black Basta’s C2 infrastructure.
BackConnect enables remote code execution, credential theft, and lateral movement via Server Message Block (SMB) and Windows Remote Management (WinRM).
WinRM utilized for remote command execution and schedule task creation (bottom)
Cactus Ransomware Evolution and ESXi Targeting
The Cactus group, now staffed by former Black Basta operators, employs nearly identical TTPs.
After deploying BackConnect, they escalate attacks by targeting VMware ESXi hypervisors. The malware socks.out (a SystemBC variant) disables ESXi security.
This permits ransomware binaries to be executed without limitations.
Firewall logs also reveal WinSCP transfers to the domain pumpkinrab[.]com (IP: 208.115.200[.]146), registered days before the attack.
Mitigation Strategies
Trend Micro recommends:
- Restrict Quick Assist: Disable unauthorized remote tools and mandate multi-factor authentication for IT requests.
- Monitor Teams Activity: Apply Microsoft’s security best practices and treat Teams with the same scrutiny as email.
- Block Malicious IPs: Blacklist C2 IPs like 45.8.157[.]199 and 5.181.3[.]164.
- Hunt for DLL Sideloading: Use Trend Vision One query like eventSubId: 603 AND (request:filters*.s3.us-east-*) to detect malicious file activity.
These campaigns underscore the critical need for layered defenses against social engineering and living-off-the-land tactics.
With Black Basta potentially dissolving post-leak and Cactus rising, organizations must prioritize Zero Trust policies and behavior-driven employee training.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
