Black Basta and Cactus ransomware groups are now using BackConnect malware to maintain control of compromised systems and exfiltrate sensitive data. Attackers utilize social engineering, particularly via Microsoft Teams and remote access tools, to gain initial access. They abuse legitimate software like OneDrive to sideload malicious DLLs, allowing for persistent control. The BackConnect malware shows links to QakBot and has been associated with numerous breaches, mainly in North America. Organizations should restrict remote access tools, train employees on social engineering, and implement security best practices to mitigate risks associated with such attacks.
https://www.trendmicro.com/de_de/research/25/b/black-basta-cactus-ransomware-backconnect.html