Attackers associated with the disrupted QakBot, or QBot, malware operation have crafted a novel BackConnect payload integrated with system data exfiltration capabilities to facilitate further compromise, according to The Hacker News.
Such BC backdoor, which runs as an autonomous program, features not only old QBot samples but also IcedID's KeyHole BC and DarkVNC and was discovered within the ZLoader-distributing infrastructure, a report from Walmart's Cyber Intelligence team showed. "In this case, the malware we talk about is a standalone backdoor utilizing BackConnect as a medium to allow a threat actor to have hands-on keyboard access. This distinction is further pronounced by the fact that this backdoor collects system information," said Walmart. Walmart's findings come after the backdoor was linked by Sophos to the newly emergent ransomware operation STAC5777, which along with another nascent group STAC5143, exploited Microsoft 365 and default Microsoft Teams configurations to enable Python backdoor and Black Basta ransomware deployment.