QakBot, a notorious malware originally designed as a banking trojan, has evolved into a sophisticated threat. Researchers have revealed a new BackConnect (BC) malware linked to QakBot, equipped with enhanced capabilities for remote access and data gathering. This development highlights the persistence of QakBot-associated threat actors, despite previous law enforcement takedowns.
The BC malware, which includes components like “DarkVNC” and “KeyHole,” was identified on infrastructure associated with distributing other malware, such as ZLoader. Reports indicate that ZLoader has been updated with a Domain Name System (DNS) tunnel to improve command-and-control (C2) communications. These interconnected tools underscore a growing cybercrime ecosystem where malware developers collaborate on new methods to exploit targets.
The enhanced BC module provides attackers with advanced tools for persistence and system exploitation. Notably, it enables remote access through an embedded VNC component and acts as a proxy, allowing direct interaction with compromised systems. In addition to these features, the malware collects system data to facilitate further exploitation.
Researchers have linked this BC malware to a threat cluster known as STAC5777, which overlaps with Storm-1811. This group is infamous for using social engineering tactics, such as email bombing and phishing via Microsoft Teams, to gain remote access to victims’ devices. These attacks often lead to deploying backdoors, ransomware, or other malicious tools.
The collaboration between QakBot developers and other cybercriminal groups, such as those behind Black Basta ransomware, reveals a coordinated effort to refine malware and expand attack capabilities. Reports suggest that these groups exploit features in Microsoft Teams and Office 365 to deceive users and infiltrate systems.
Preventing the Threat
To mitigate these risks, organizations must strengthen endpoint protection and monitor for unusual network activity. Regularly updating software, using strong passwords, and training employees to recognize phishing attempts are essential. Additionally, securing remote collaboration tools, like Microsoft Teams, by restricting external access can reduce vulnerabilities.
