Security researchers at Trend Micro have uncovered a sophisticated cyber-attack that utilizes social engineering tactics and popular remote access tools. The attack involves an infostealer malware that allows cybercriminals to gain persistent control over compromised machines and steal sensitive data.
Since October 2024, Trend Micro Threat Intelligence has tracked a series of incidents primarily concentrated in North America, with 21 breaches reported. The United States experienced the highest number of incidents with 17, followed by Canada and the UK with five each. In total, Europe recorded 18 incidents related to this cyber-attack.
The attackers employ social engineering techniques to gain initial access by tricking victims into providing credentials. Microsoft Teams is exploited for impersonation, while tools like Quick Assist are used to escalate privileges. A legitimate OneDrive update tool, OneDriveStandaloneUpdater.exe, is abused to load malicious DLLs, allowing the attackers network access.
Subsequently, the cybercriminals deploy BackConnect malware to maintain control over the infected systems. They distribute malicious files using commercial cloud storage services, taking advantage of misconfigured or publicly accessible storage buckets. Researchers have linked the BackConnect malware to QakBot, a loader malware that was previously involved in “Operation Duckhunt” in 2023.
Recent analysis by Trend Micro revealed cases where Black Basta and Cactus ransomware actors have deployed the BackConnect malware. This malware enables remote command execution, credential theft, and financial data exfiltration. Black Basta alone extorted $107 million from victims in 2023, predominantly targeting the manufacturing sector, followed by financial services and real estate.
The attackers also utilized tools like WinSCP for data movement within compromised environments. They downloaded malicious files from cloud storage providers, repackaged them, and exploited system vulnerabilities for deployment. Internal chat leaks from Black Basta suggest a transition to Cactus ransomware, indicating a continued threat in 2025.
To combat these evolving threats, organizations are advised to implement multi-factor authentication, restrict the use of remote access tools unless necessary, regularly audit cloud storage configurations, monitor network traffic for suspicious connections, and educate employees on social engineering tactics.
As ransomware tactics become more sophisticated, cybersecurity teams must remain vigilant and proactive in their defense strategies. Continuous monitoring and prevention measures are crucial in thwarting cyber-attacks that exploit social engineering tactics and legitimate tools for malicious purposes.