Black Basta and Cactus Ransomware Groups Add BackConnect Malware to Their Arsenal

    Tuesday, March 4, 2025 In: Threat Research Print

    Date: 03/04/2025

    Severity: Critical

    Summary

    "Black Basta and Cactus Ransomware Groups Add BackConnect Malware to Their Arsenal" refers to the use of BackConnect malware by these ransomware groups, as part of their evolving tactics. Attackers exploited social engineering, Microsoft Teams, Quick Assist, and tools like OneDriveStandaloneUpdater.exe to gain initial access and escalate privileges. The malware, linked to QakBot, enabled persistent control over compromised machines. Additionally, attackers used WinSCP for further exploitation and hosted malicious files on misconfigured cloud storage services. These activities were primarily observed in North America and Europe, with the US being the hardest hit.

    Indicators of Compromise (IOC) List

    URL/Domain

    pumpkinrab.com

    https://sfu11.s3.us-east-2.amazonaws.com/js/kb052117-01.bpx  

    https://sfu11.s3.us-east-2.amazonaws.com/js/kb052123-02.bpx  

    https://filters14.s3.us-east-2.amazonaws.com/

    IP Address

    38.180.25.3

    45.8.157.199

    5.181.3.164

    185.190.251.16

    207.90.238.52

    89.185.80.86

    5.181.159.48

    45.128.149.32

    207.90.238.46

    45.8.157.158

    195.123.233.19

    178.236.247.173

    195.123.241.24

    20.187.1.254

    5.78.41.255

    38.180.192.243

    207.90.238.52

    89.185.80.251

    91.90.195.91

    45.8.157.162

    20.82.136.218

    45.8.157.146

    5.181.3.164

    195.123.233.148

    45.8.157.199

    89.185.80.86

    195.211.96.135

    38.180.25.3

    38.180.135.232

    185.190.251.16

    Hash

    b79c8b7fabb650bcae274b71ee741f4d2d14a626345283a268c902f43edb64fd

60bca9f0134b9499751f6a5b754a9a9eff0b44d545387fffc151b5070bd3a26a

623a43b826f95dc109f7b46303c6566298522b824e86a928834f12ac7887e952

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    userdomainname like "pumpkinrab.com" or url like "pumpkinrab.com" or userdomainname like "https://sfu11.s3.us-east-2.amazonaws.com/js/kb052117-01.bpx" or url like "https://sfu11.s3.us-east-2.amazonaws.com/js/kb052117-01.bpx" or userdomainname like "https://sfu11.s3.us-east-2.amazonaws.com/js/kb052123-02.bpx" or url like "https://sfu11.s3.us-east-2.amazonaws.com/js/kb052123-02.bpx" or userdomainname like "https://filters14.s3.us-east-2.amazonaws.com/" or url like "https://filters14.s3.us-east-2.amazonaws.com/" 

    Detection Query 2

    dstipaddress IN ("5.78.41.255","178.236.247.173","45.8.157.146","38.180.135.232","185.190.251.16","20.82.136.218","45.8.157.158","38.180.25.3","89.185.80.86","89.185.80.251","195.123.233.148","207.90.238.52","195.211.96.135","5.181.3.164","207.90.238.46","38.180.192.243","195.123.233.19","45.8.157.199","5.181.159.48","45.128.149.32","195.123.241.24","20.187.1.254","91.90.195.91","45.8.157.162","45.8.157.199","185.190.251.16") or ipaddress IN ("5.78.41.255","178.236.247.173","45.8.157.146","38.180.135.232","185.190.251.16","20.82.136.218","45.8.157.158","38.180.25.3","89.185.80.86","89.185.80.251","195.123.233.148","207.90.238.52","195.211.96.135","5.181.3.164","207.90.238.46","38.180.192.243","195.123.233.19","45.8.157.199","5.181.159.48","45.128.149.32","195.123.241.24","20.187.1.254","91.90.195.91","45.8.157.162","45.8.157.199","185.190.251.16") or publicipaddress IN ("5.78.41.255","178.236.247.173","45.8.157.146","38.180.135.232","185.190.251.16","20.82.136.218","45.8.157.158","38.180.25.3","89.185.80.86","89.185.80.251","195.123.233.148","207.90.238.52","195.211.96.135","5.181.3.164","207.90.238.46","38.180.192.243","195.123.233.19","45.8.157.199","5.181.159.48","45.128.149.32","195.123.241.24","20.187.1.254","91.90.195.91","45.8.157.162","45.8.157.199","185.190.251.16") or srcipaddress IN ("5.78.41.255","178.236.247.173","45.8.157.146","38.180.135.232","185.190.251.16","20.82.136.218","45.8.157.158","38.180.25.3","89.185.80.86","89.185.80.251","195.123.233.148","207.90.238.52","195.211.96.135","5.181.3.164","207.90.238.46","38.180.192.243","195.123.233.19","45.8.157.199","5.181.159.48","45.128.149.32","195.123.241.24","20.187.1.254","91.90.195.91","45.8.157.162","45.8.157.199","185.190.251.16")

    Detection Query 3

    sha256hash IN ("b79c8b7fabb650bcae274b71ee741f4d2d14a626345283a268c902f43edb64fd","60bca9f0134b9499751f6a5b754a9a9eff0b44d545387fffc151b5070bd3a26a","623a43b826f95dc109f7b46303c6566298522b824e86a928834f12ac7887e952")

    Reference: 

    https://www.trendmicro.com/en_us/research/25/b/black-basta-cactus-ransomware-backconnect.html


    Tags

    Black BastaCactusMalwareRansomwareQakBotSocial EngineeringNorth AmericaEurope

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.