Full Report
Cybersecurity researchers have disclosed details of a new BackConnect (BC) malware that has been developed by threat actors linked to the infamous QakBot loader. "BackConnect is a common feature or module utilized by threat actors to maintain persistence and perform tasks," Walmart's Cyber Intelligence team told The Hacker News. "The BackConnect(s) in use were 'DarkVNC' alongside the IcedID
Analysis Summary
# Tool/Technique: BackConnect (BC) Malware Module
## Overview
BackConnect (BC) is described as a common feature or module utilized by threat actors, notably those linked to the QakBot loader, to maintain persistence and perform various tasks. In the context described, it functions as a standalone backdoor using the BackConnect mechanism to provide threat actors with hands-on-keyboard access and system information gathering capabilities.
## Technical Details
- Type: Malware Module/Backdoor
- Platform: Not explicitly stated, but context implies Windows environments targeted by QakBot/ZLoader/IcedID.
- Capabilities: Provides remote access (hands-on-keyboard control), system information gathering, and acts as a proxy mechanism. Specific variants mentioned include 'DarkVNC' and 'KeyHole' (associated with IcedID).
- First Seen: Context implies recent development or enhancement of a pre-existing QakBot feature.
## MITRE ATT&CK Mapping
The core functionality revolves around establishing remote access and persistence.
- [TA0011 - Command and Control]
- [T1071 - Application Layer Protocol] (Implied, as C2 is facilitated)
- [TA0003 - Persistence]
- [T1543 - Create or Modify System Process] (Likely utilized for persistence mechanisms)
- [TA0010 - Exfiltration]
- [T1041 - Exfiltration Over C2 Channel] (System information gathering suggests data transfer)
## Functionality
### Core Capabilities
- **Remote Access:** Provides threat actors with "hands on keyboard access" to the compromised system.
- **System Information Gathering:** The module is enhanced to collect system details, acting as an autonomous program to facilitate follow-on exploitation.
- **Proxy Functionality:** An inherent capability of the BC module is allowing the host to be used as a proxy.
### Advanced Features
- **VNC Component:** The module embeds a Virtual Network Computing (VNC) component to facilitate remote desktop access. Specific BC implementations mentioned are 'DarkVNC' and 'KeyHole'.
- **Standalone Backdoor:** Described as a backdoor utilizing BC as the medium for access.
## Indicators of Compromise
(The article does not provide specific IOCs like hashes or C2 addresses for the *BackConnect module itself*, but it references related malware families.)
- File Hashes: [Not provided]
- File Names: [Not provided]
- Registry Keys: [Not provided]
- Network Indicators: [Not provided, C2 obscured by the nature of the module's function as a proxy/access mechanism]
- Behavioral Indicators: System information gathering, granting remote terminal access to an external entity.
## Associated Threat Actors
- Threat actors linked to **QakBot loader**.
- Threat cluster tracked as **STAC5777** (Sophos).
- **Storm-1811** (Linked to STAC5777, utilizing Quick Assist for Black Basta deployment).
- Threat group **STAC5143** (Possible ties to FIN7, also using social engineering for remote access).
- Operators deploying **Black Basta ransomware** (as QakBot was previously used as a delivery mechanism for this ransomware).
## Detection Methods
(General methods based on malware type, specific signatures for this BC variant were not published in the summary.)
- Signature-based detection: Signatures detecting known string patterns or file markers associated with QakBot/IcedID plugins if available.
- Behavioral detection: Monitoring for processes establishing anomalous VNC connections or unusual system data enumeration executed by unknown processes.
- YARA rules: [Not provided]
## Mitigation Strategies
- **Harden Remote Access Tools:** Review configurations for legitimate tools like Quick Assist and Teams to restrict external initiation of access.
- **Limit Lateral Movement/Proxy Use:** Monitor internal network traffic for unusual proxying behavior originating from endpoints.
- **Patch and Update:** Since ZLoader utilizes DNS tunneling, ensure defenses against advanced C2 techniques are in place if infrastructure overlaps are observed. (Relates to mitigating the ecosystem supporting BC deployment).
## Related Tools/Techniques
- **QakBot (QBot/Pinkslipbot):** Parent loader family.
- **IcedID:** Associated with the 'KeyHole' BackConnect variant.
- **ZLoader:** Malware sharing infrastructure with the BC component, recently updated with DNS tunneling C2.
- **Quick Assist / Microsoft Teams:** Used by associated threat actors (STAC5777/Storm-1811) for initial access delivery, sometimes leading to Python backdoors or Black Basta ransomware.