Full Report
Threat actors deploying the Black Basta and CACTUS ransomware families have been found to rely on the same BackConnect (BC) module for maintaining persistent control over infected hosts, a sign that affiliates previously associated with Black Basta may have transitioned to CACTUS. "Once infiltrated, it grants attackers a wide range of remote control capabilities, allowing them to execute
Analysis Summary
# Threat Actor: Affiliates linked to Black Basta transitioning to CACTUS
## Attribution & Identity
Researchers infer that affiliates previously associated with the **Black Basta** ransomware group may have transitioned to employing the **CACTUS** ransomware strain. This is evidenced by the shared use of the **BackConnect (BC) module** between both operations. One component of the BackConnect module is being tracked as **QBACKCONNECT** due to overlaps with the QakBot loader. Sophos has designated the associated cluster as **STAC5777**.
## Activity Summary
The primary finding indicates a convergence of tactics, suggesting a personnel shift:
* **Black Basta Activities:** Historically leveraged email bombing tactics to trick targets into installing Quick Assist, often pretending to be IT support or helpdesk personnel. This provided access to sideload a malicious DLL loader (`winhttp.dll`, named **REEDBED**) using the legitimate `OneDriveStandaloneUpdater.exe`. Leaked chat logs also revealed the gang shared valid credentials, potentially sourced from information stealer logs.
* **CACTUS Activities:** Observed using the exact same modus operandi (deployment of the BackConnect module) as seen in Black Basta attacks, subsequently using it for post-exploitation actions like lateral movement and data exfiltration (though one observed encryption attempt failed).
## Tactics, Techniques & Procedures
- Initial Access via **Remote Desktop Protocol (RDP) portals** and **VPN endpoints**.
- Social engineering involving **vishing** (voice phishing) combined with impersonation as IT support/helpdesk personnel.
- Use of **Quick Assist** as a tool following initial contact.
- **DLL Sideloading:** Using the legitimate `OneDriveStandaloneUpdater.exe` to load the malicious DLL loader named **REEDBED** (`winhttp.dll`).
- **Persistence/Remote Control:** Deployment of the **BackConnect (BC) module** (tracked as QBACKCONNECT) granting wide-ranging remote control capabilities.
- **Post-Exploitation:** Lateral movement and data exfiltration.
- **Objective:** Stealing sensitive data, including login credentials, financial information, and personal files.
## Targeting
- Sectors: Not explicitly detailed, but techniques suggest targeting corporate environments capable of using RDP/VPN and having common enterprise software like Microsoft OneDrive.
- Geography: Not specified in the provided text.
- Victims: Specific organizations are not mentioned, only the general observation of campaigns.
## Tools & Infrastructure
- **Ransomware:** Black Basta, CACTUS.
- **Remote Access/Module:** BackConnect (BC) module / QBACKCONNECT.
- **Loaders/DLLs:** REEDBED (a malicious DLL loader using `winhttp.dll`).
- **Initial Access Tools:** Quick Assist, compromised credentials (sourced from information stealers).
- **Executable Masquerading:** Abuse of **OneDriveStandaloneUpdater.exe**.
- **Infrastructure:** Access secured via RDP portals and VPN endpoints.
## Implications
The shared use of the sophisticated BackConnect module strongly suggests a migration or operational overlap between Black Basta affiliates and the CACTUS group. This indicates that threat actors previously linked to Black Basta are continuing their financially motivated activities under a new banner, potentially seeking to maintain operational security or avoid scrutiny associated with the compromised Black Basta name following recent chat log leaks.
## Mitigations
- Harden RDP and VPN endpoints against brute-forcing and credential stuffing.
- Enhance monitoring for post-initial access TTPs, specifically:
- Detection of Quick Assist execution initiated via anomalous processes.
- Detection of unauthorized sideloading of DLLs (e.g., `winhttp.dll`) by legitimate executables like `OneDriveStandaloneUpdater.exe`.
- Threat hunting for the deployment and execution of the BackConnect (BC) module.
- Increased vigilance against vishing/social engineering campaigns targeting IT support endpoints.