Fresh Qakbot Sightings Confirm Recent Takedown Was a Temporary Setback

We Keep you Connected

Fresh Qakbot Sightings Confirm Recent Takedown Was a Temporary Setback

Microsoft and several others have reported seeing the noxious malware surfacing again in a campaign targeting the hospitality industry.
December 19, 2023
Qakbot malware is back less than four months after US and international law enforcement authorities dismantled its distribution infrastructure in a widely hailed operation dubbed "Duck Hunt."
In recent days, several security vendors have reported seeing the malware being distributed via phishing emails that target organizations in the hospitality sector. For the moment, the email volumes appear to be relatively low. But given the tenacity that Qakbot operators have shown in the past, it likely won't be long before the volume picks up again.
Microsoft's threat intelligence group has estimated the new campaign began Dec. 11, based on a timestamp in the payload used in the recent attacks. Targets have received emails with a PDF attachment from a user purporting to be an employee at the IRS, the company said in multiple posts on X, the platform formerly known as Twitter. "The PDF contained a URL that downloads a digitally signed Windows Installer (.msi)," Microsoft posted. "Executing the MSI led to Qakbot being invoked using export 'hvsi' execution of an embedded DLL." The researchers described the Qakbot version that the threat actor is distributing in the new campaign as a previously unseen version.
Zscaler observed the malware surfacing as well. In a post on X, the company identified the new version as 64-bit, using AES for network encryption and sending POST requests to a specific path on compromised systems. Proofpoint confirmed similar sightings a day later while also noting that the PDFs in the current campaign have been distributed since at least Nov. 28.
Qakbot is particularly noxious malware that has been around since at least 2007. Its authors originally used the malware as a banking Trojan but in recent years pivoted to a malware-as-a-service model. Threat actors typically have distributed the malware via phishing emails, and infected systems usually become part of a bigger botnet. At the time of the takedown in August, law enforcement identified as many as 700,000 Qakbot-infected systems worldwide, some 200,000 of which were located in the US.
Qakbot-affiliated actors have increasingly used it as a vehicle to drop other malware, most notably Cobalt Strike, Brute Ratel, and a slew of ransomware. In many instances, initial access brokers have used Qakbot to gain access to a target network and later sold that access to other threat actors. "QakBot infections are particularly known to precede the deployment of human-operated ransomware, including Conti, ProLock, Egregor, REvil, MegaCortex, Black Basta, Royal, and PwndLocker," the US Cybersecurity and Infrastructure Security Agency noted in a statement announcing the law enforcement takedown earlier this year.
The recent sightings of Qakbot malware appear to confirm what some vendors have reported in recent months: Law enforcement's takedown had less of an impact on Quakbot actors than generally perceived.
In October, for instance, threat hunters at Cisco Talos reported that Qakbot-affiliated actors were continuing to distribute the Remcos backdoor and Ransom Knight ransomware in the weeks and months following the FBI's seizure of Qakbot infrastructure. Talos security researcher Guilherme Venere saw that as a sign that August's law enforcement operation may have taken out only Qakbot's command-and-control servers and not its spam-delivery mechanisms.
"Though we have not seen the threat actors distributing Qakbot itself post-infrastructure takedown, we assess the malware will continue to pose a significant threat moving forward," Venere said at the time. "We see this as likely as the developers were not arrested and are still operational, opening the possibility that they may choose to rebuild the Qakbot infrastructure."
Security firm Lumu said it counted a total of 1,581 attempted attacks on its customers in September that were attributable to Qakbot. In subsequent months, the activity has remained at more or less the same level, according to the company. Most attacks have targeted organizations in finance, manufacturing, education, and government sectors.
The threat group's continued distribution of the malware indicates that it managed to evade significant consequences, Lumu CEO Ricardo Villadiego says. The group's ability to continue operating primarily hinges on the economic feasibility, technical capabilities, and ease of establishing new infrastructure, he notes. "Since the ransomware model remains profitable and legal efforts haven't specifically targeted the individuals and the underlying structure of these criminal operations, it becomes challenging to completely neutralize any malware network like this."
Jai Vijayan, Contributing Writer

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.
You May Also Like
2024 API Security Trends & Predictions
What’s In Your Cloud?
Everything You Need to Know About DNS Attacks
Tips for Managing Cloud Security in a Hybrid Environment
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Cyber Resiliency 2023: How to Keep IT Operations Running, No Matter What
Passwords Are Passe: Next Gen Authentication Addresses Today’s Threats
What Ransomware Groups Look for in Enterprise Victims
How to Use Threat Intelligence to Mitigate Third-Party Risk
Concerns Mount Over Ransomware, Zero-Day Bugs, and AI-Enabled Malware
Securing the Remote Worker: How to Mitigate Off-Site Cyberattacks
Threat Terrain of the Modern Factory: Survey of Programmable Assets and Robot Software
IT Zero Trust vs. OT Zero Trust: It’s all about Availability
The OT Zero Trust Handbook: Implementing the 4 Cornerstones of OT Security
Buyer’s Guide: Choosing a True DevSecOps Solution for Your Apps on AWS
Increase Speed and Accuracy with AI Driven Static Analysis Auditing
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Cyber Resiliency 2023: How to Keep IT Operations Running, No Matter What
Copyright © 2023 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.

source

TNC

LET US MANAGE YOUR SYSTEM
SO YOU CAN RUN YOUR BUSINESS

GET THE LATEST UPDATES, OFFERS, INFORMATION & MORE