Regardless of the takedown of the Qakbot menace gang’s infrastructure by the FBI in late August, among the group’s associates are nonetheless deploying ransomware by way of phishing campaigns, in response to Cisco Talos.
Talos menace researchers discovered new proof {that a} menace actor linked to the Qakbot malware loader (also called QBot or Pinkslipbot) has been conducting a marketing campaign since early August 2023 through which it has been distributing Ransom Knight ransomware and the Remcos backdoor by way of phishing emails.
Cisco shared the small print of this new evaluation in a weblog put up revealed on the Talos Intelligence web site on October 5, 2023.
The FBI Operation Solely Impacted Qakbot’s C2 Servers
Talos attributed this new marketing campaign to Qakbot associates as a result of the metadata present in LNK information used within the marketing campaign matches the metadata from machines utilized in earlier Qakbot campaigns.
This new evaluation signifies that the regulation enforcement operation, dubbed Operation Duck Hunt, might have solely impacted Qakbot operators’ command and management (C2) servers, not their spam supply infrastructure.
This discovering confirms what a number of cybersecurity consultants informed Infosecurity in early September, a number of days after the FBI and worldwide regulation enforcement operation.
Yelisey Bohuslavskiy, a accomplice at menace prevention supplier Pink Sense, defined why he thought Operation Duck Hunt solely took down the infrastructure of the QakBot loader however not essentially of QakBot the Trojan.
“QBot was developed as a trojan malware however later transitioned right into a loader-as-a-service (LaaS). From particulars in regards to the ‘Duck Hunt’ operation, it appears the section of QBot’s infrastructure taken down was QB-crimeware fairly than the ransomware/LaaS part.”
Alex Holland, a senior malware analyst at HP Wolf Safety, agreed. “It’s unlikely that is the final we’ll see of QakBot,” he informed Infosecurity.
Learn extra: FBI’s QakBot Takedown Raises Questions – ‘Dismantled’ or Only a Non permanent Setback?
What’s Qakbot?
Qakbot is a modular banking trojan that has been energetic since 2008. It’s primarily used to steal victims’ monetary information, together with browser data, keystrokes, and credentials. Qakbot may also be used to distribute different malware, corresponding to ransomware.
“By late 2020, amidst the surge of ransomware, this loader perform took priority, propelling QBot to a number one place within the botnet ecosystem, allying them with REvil, Conti, and lots of others. But, its crimeware trojan performance continued,” Holland added.
In late August 2023, the FBI led a multinational regulation enforcement operation to dismantle QakBot.
The Bureau and its companions gained entry to QakBot’s admin computer systems, which helped regulation enforcement map out the server infrastructure used within the botnet’s operation.
It then seized 52 servers, which it mentioned would “completely dismantle” the botnet, and redirected QakBot’s visitors to servers managed by the Bureau, pointing victims to obtain an uninstaller.
The US Division of Justice (DoJ) mentioned the FBI had recognized over 700,000 contaminated computer systems worldwide, together with greater than 200,000 within the US.
The DoJ additionally introduced it seized over $8.6m in cryptocurrency from the QakBot cybercriminal group. This cash might be returned to the victims.
