Attacrators use Microsoft teams and quick access to access

A sophisticated cyber attack using social engineering tactics and wide -scale access tools was discovered by Micro -Trend Security researchers.

The attack, which involves an angry malware, gives persistent cyber control over compromised cars and allows them to steal sensitive data.

According to Trend Micro Thro Throince Intelligence, most of the incidents of October 2024 were concentrated in North America, with 21 registered violations. The US was the most affected, with 17 incidents, followed by Canada and the United Kingdom, each experiencing five. Europe has registered 18 incidents in total.

How the attack works

Attacrators first use social engineering techniques to achieve initial access, tricking victims in providing accreditations. Microsoft teams are exploited for impersonation, while fast assistance and similar remote access software helps attackers to increase privileges.

OneDrivestandaloneupdater.exe, a legitimate OneDrive update tool, is used to load malicious DLLs, providing attackers access to the network.

Attacrators then implement Backconnect malware, which allows them to maintain control over infected systems. The malicious files are hosted and distributed using commercial cloud storage services, taking advantage of wrong or publicly affordable storage buckets.

Researchers tied the Backconnect malware with Qakbot, a charger that was the subject 2023 Operation to take over Known as the “Duckunt operation”.

Qakbot has played a critical role in granting ransomware actors Basta Basta Access to target systems. Since his withdrawal, these threatening actors Move to alternative methods to maintain its operations.

Read more about the increasing use of social engineering in cyber attacks: 92% of the organizations hit by the accreditation compromise from social engineering attacks

Basta Black and Cactus ransomware connection

The trend analysts have recently examined cases in which black actors Basta and Cactus Ransomware have implemented the same connection malware.

This malware allows attackers to execute remote orders, steal credentials and exfilate financial data.

Only Black Basta extorted $ 107 million from victims in 2023, the production being the strongest hit sector, followed by financial and real estate services.

Also, the attackers used WinscpA transfer of open-source files to move data to compromised environments. The malicious files were originally downloaded from a cloud storage provider before being re -packaged and implemented by system vulnerabilities.

Subsequent research on Black Basta’s internal chat leaks suggests that the group members are now being transmitted to Cactus ransomware. The researchers believe that this change will allow the cactus to remain a significant threat in 2025.

Strategies of defense and attenuation

To counteract these evolving threats, organizations should:

• Consolidation of authentication measures, including multi-factor authentication (MFA) and user verification procedures
• Restrict the use of remote access tools such as quick assistance unless it is necessary to explicitly
• Regularly audit the cloud storage configurations to prevent unauthorized access
• Monitor the network traffic for suspicious output connections to known control and control servers
• Educate employees in social engineering tactics to reduce phishing susceptibility and impersonation attempts

Given that the ransomware tactics are becoming more sophisticated, the cybersacity teams must remain vigilant against the threats that combine social engineering with the abuse of legitimate instruments. Proactive defenses and continuous monitoring are essential to prevent such attacks.