#backconnect — Public Fediverse posts on home.social

Just Another Blue Teamer @[email protected] · 2025-03-03 · 17:22 UTC

Happy Monday everyone!

Today's #readoftheday is brought to you by Trend Micro and they share their findings related to #BlackBasta and #CactusRansomware adding a piece of malware known as #BackConnect to their toolbox.

The report states "The BackConnect malware is a tool that cybercriminals use to establish and maintain persistent control over compromised systems. Once infiltrated, it grants attackers a wide range of remote control capabilities, allowing them to execute commands on the infected machine. This enables them to steal sensitive data, such as login credentials, financial information, and personal files."

Behaviors (MITRE ATT&CK):
Initial Access - TA0001:
Phishing: Spearphishing Voice - T1566.004 - The attackers conducted an email bombing campaign then contacted the victim posing as "IT Support" or "HelpDesk".

Command and Control - TA0011:
Remote Access Software - T1219 -
The attackers used QuickAssist to access the victim's environment once they were successfully social engineered.

Lateral Movement - TA0008:
Remote Services: SMB/ Windows Admin Shares - T1021.002 -
Remote Services: Windows Remote Management - T1021.006
The attackers leveraged both SMB, shared folders, and WinRM for lateral movement.

Go check out the rest of the technical details! Enjoy and Happy Hunting!

Black Basta and Cactus Ransomware Groups Add BackConnect Malware to Their Arsenal
https://www.trendmicro.com/en_us/research/25/b/black-basta-cactus-ransomware-backconnect.html?&web_view=true

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting

#readoftheday #blackbasta #cactusransomware #backconnect #threatintel #threathunting

𝙽𝙴𝚃𝚁𝙴𝚂𝙴𝙲 @[email protected] · 2024-10-24 · 08:18 UTC

CapLoader wasn’t designed as an alternative to a traditional NIDS, but the Alerts tab often gives a VERY good overview of the malicious traffic. Here’s a screenshot of CapLoader’s alerts for some recent PCAP files from malware-traffic-analysis.net.

#Lumma #GootLoader #AgentTesla #RURAT #Remcos #RedLine #BackConnect

#lumma #gootloader #agenttesla #rurat #remcos #redline

𝙽𝙴𝚃𝚁𝙴𝚂𝙴𝙲 @[email protected] · 2023-11-15 · 18:15 UTC

Here’s what CapLoader’s Alerts tab looks like after loading 2023-10-16-IcedID-infection.pcap from @malware_traffic. The malicious protocol alerts for GzipLoader, #BackConnect and #IcedID over TLS are obvious indicators of IcedID. But what about the periodic connections made every 5 minutes?
https://netresec.com/?b=23B6bcd

#backconnect #icedid

Security Onion 🧅 @[email protected] · 2023-11-03 · 21:02 UTC

Quick #malware analysis: #ICEDID variant with #BACKCONNECT, #ANUBIS #VNC, #COBALTSTRIKE & #SCREENCONNECT pcap from 2023-10-18

Thanks to
@malware_traffic
for sharing this #pcap!

More details:
https://blog.securityonion.net/2023/11/quick-malware-analysis-icedid-variant.html

#infosec
#infosecurity
#ThreatHunting
#IncidentResponse

#malware #icedid #backconnect #anubis #vnc #cobaltstrike

𝙽𝙴𝚃𝚁𝙴𝚂𝙴𝙲 @[email protected] · 2023-11-03 · 10:44 UTC

Here's the decrypted #IcedID #BackConnect traffic from @malware_traffic latest #PCAP. It was just a bunch of "SLEEP 60 seconds" commands this time 😞

#icedid #backconnect #pcap

𝙽𝙴𝚃𝚁𝙴𝚂𝙴𝙲 @[email protected] · 2023-10-20 · 14:39 UTC

Attacker launches #BackConnect C2 on #IcedID infected machine and starts a reverse VNC session. The VNC session is used to download #CobaltStrike binary http64.exe from 85.209.11.48 and save it as “http.exe”. Cobalt Strike beacon is then executed from the command line.

For more details and the original #pcap file, see @malware_traffic’s toot here:
https://infosec.exchange/@malware_traffic/111267554603030001

#backconnect #icedid #cobaltstrike #pcap

𝙽𝙴𝚃𝚁𝙴𝚂𝙴𝙲 @[email protected] · 2023-10-18 · 10:54 UTC

This #IcedID #BackConnect C2 server keeps telling the bot to sleep for 60 seconds. This goes on for 3 hours. No reverse shell, no VNC, no file manager 😿