Whereas the Qakbot banking Trojan was eradicated in August by a large-scale regulation enforcement operation, the individuals behind it are nonetheless lively and pose a risk to customers, researchers stated right this moment.
In line with a report from Cisco’s Talos risk intelligence group, its consultants can say with “reasonable confidence” that the creators and operators of Qakbot are actively engaged on a brand new marketing campaign, this time distributing a variant of the Knight malware, which rebranded from Cyclops in July. Knight is a ransomware risk that operates as a service, distributed by phishing and extorting cash from victimized firms by threatening to promote exfiltrated knowledge.
The Talos group primarily based their evaluation on figuring out drive serial numbers in LNK, or Home windows shortcut, file metadata from computer systems related to the sooner Qakbot assaults. Regardless of the Qakbot actors’ makes an attempt to wash metadata from the precise recordsdata utilized by Talos, the group was nonetheless apparently capable of establish one machine as being linked to these assaults.
“A few of the filenames are written in Italian, which suggests the risk actors could also be focusing on customers in that area,” the Talos weblog stated. “The LNK recordsdata are being distributed inside Zip archives that additionally comprise an XLL file.”
XLL recordsdata, the group famous, are a Microsoft Excel-related file format extension, which seem much like common .xls recordsdata in an Explorer window. The XLL recordsdata, if opened, set up the Remcos backdoor, which is a distant administration instrument that works in live performance with Knight malware to realize entry to focused methods.
Talos stated that the Qakbot actors are unlikely to be the masterminds behind the Knight ransomware service itself, and are as an alternative in all probability clients. The FBI-led enforcement motion that took down Qakbot’s command-and-control servers in August, subsequently, probably did not have an effect on the group’s phishing infrastructure. This may occasionally additionally permit the group to easily rebuild its personal back-end methods for Qakbot, resulting in a possible resurgence.
