- I replaced my iPhone 16 Pro with the 16e for a weekend - here's everything I learned
- Samsung teased me with its Galaxy S25 Edge at MWC - and I was ready to give up my Ultra
- I finally found an Android tablet with a large screen that lasts - and you can get a free pair of Galaxy Buds 3 with purchase
- Cisco at NAB Show 2025
- I finally found a high-quality multitool for under $30
Attackers Leverage Microsoft Teams and Quick Assist for Access
A sophisticated cyber-attack using social engineering tactics and widely used remote access tools has been uncovered by security researchers at Trend Micro.
The attack, which involves a stealthy infostealer malware, grants cybercriminals persistent control over compromised machines and enables them to steal sensitive data.
According to Trend Micro Threat Intelligence, most incidents since October 2024 have been concentrated in North America, with 21 breaches recorded. The US was the most affected, with 17 incidents, followed by Canada and the UK, each experiencing five. Europe recorded 18 incidents in total.
How the Attack Works
Attackers first use social engineering techniques to gain initial access, tricking victims into providing credentials. Microsoft Teams is exploited for impersonation, while Quick Assist and similar remote access software help attackers escalate privileges.
OneDriveStandaloneUpdater.exe, a legitimate OneDrive update tool, is used to sideload malicious DLLs, providing attackers with network access.
The attackers then deploy BackConnect malware, which allows them to maintain control over infected systems. Malicious files are hosted and distributed using commercial cloud storage services, taking advantage of misconfigured or publicly accessible storage buckets.
Researchers have linked the BackConnect malware to QakBot, a loader malware that was the subject of the 2023 takedown operation known as “Operation Duckhunt.”
QakBot played a critical role in granting Black Basta ransomware actors access to target systems. Since its takedown, these threat actors shifted to alternative methods to maintain their operations.
Black Basta and Cactus Ransomware Connection
Trend Micro analysts recently examined cases where Black Basta and Cactus ransomware actors deployed the same BackConnect malware.
This malware enables attackers to execute commands remotely, steal credentials and exfiltrate financial data.
Black Basta alone extorted $107m from victims in 2023, with manufacturing being the hardest-hit sector, followed by financial services and real estate.
Attackers also used WinSCP, an open-source file transfer client, to move data within compromised environments. The malicious files were initially downloaded from a cloud storage provider before being repackaged and deployed through system vulnerabilities.
Further investigation into Black Basta’s internal chat leaks suggests that members of the group are now transitioning to Cactus ransomware. Researchers believe this shift will allow Cactus to remain a significant threat in 2025.
Defense and Mitigation Strategies
To counter these evolving threats, organizations should:
- Strengthen authentication measures, including multi-factor authentication (MFA) and user verification procedures
- Restrict the use of remote access tools like Quick Assist unless explicitly required
- Regularly audit cloud storage configurations to prevent unauthorized access
- Monitor network traffic for suspicious outbound connections to known command-and-control servers
- Educate employees on social engineering tactics to reduce susceptibility to phishing and impersonation attempts
With ransomware tactics becoming increasingly sophisticated, cybersecurity teams must remain vigilant against threats that blend social engineering with the abuse of legitimate tools. Proactive defenses and continuous monitoring are essential in preventing such attacks from succeeding.
