The Qakbot malware operation [2] [3] [4] [5] [6], also known as Qbot or Pinkslipbot [1] [2] [3] [4], remains a significant threat despite a recent law enforcement raid called “Operation Duck Hunt” that targeted its infrastructure [6].

Description

The FBI’s operation only affected the group’s command and control servers [3], leaving their spam delivery infrastructure intact [2] [3] [4] [5]. The Qakbot malware group [3] [4] [5] [6], originally a banking trojan that evolved into a botnet for ransomware attacks [3], is still active and may choose to rebuild their infrastructure [3] [5]. Since August 2023 [1] [2] [4] [8], researchers from Cisco’s Talos unit have observed the group running a campaign using phishing attacks to distribute the Ransom Knight ransomware and Remcos RAT [3]. In this campaign [1] [5], Qakbot has inserted malicious messages into existing email conversations and downloaded three different malicious payloads [7], including modules for password-stealing [7], network scanning [7], and sending spam emails [7]. The campaign uses LNK files in phishing emails [3], with filenames written in Italian [3], suggesting a focus on users in that region [3].

Security teams should take Qakbot infections seriously as they can be a precursor to a ransomware attack [7]. Cisco Talos has released a report on this ongoing ransomware campaign [6]. Sophos recommends caution when dealing with unusual or unexpected emails and suggests using security technologies to prevent Qakbot infections [7].

Conclusion

Despite the law enforcement operation’s impact on the Qakbot group’s command and control servers, their spam delivery infrastructure remains unaffected [2]. The Qakbot threat actors have been linked to an ongoing phishing campaign since August 2023 [2], delivering the Ransom Knight ransomware and the Remcos RAT [1] [2] [3] [4] [6] [8]. Although there is no evidence of Qakbot malware distribution post-infrastructure takedown, it is assessed that the malware will likely continue to pose a significant threat in the future [2]. The threat actors may choose to rebuild Qakbot infrastructure to fully resume their pre-takedown activity [2]. Security measures [7], such as caution when handling suspicious emails and the use of security technologies, are recommended to mitigate the risk of Qakbot infections.

References

[1] http://bssn.esy.es/index.php/2023/10/05/qakbot-threat-actors-still-in-action-using-ransom-knight-and-remcos-rat-in-latest-attacks/
[2] https://osintcorp.net/qakbot-threat-actors-still-in-action-using-ransom-knight-and-remcos-rat-in-latest-attacks/
[3] https://securityboulevard.com/2023/10/qakbot-hackers-delivering-ransomware-despite-fbi-takedown/
[4] https://patabook.com/technology/2023/10/05/qakbot-threat-actors-still-in-action-using-ransom-knight-and-remcos-rat-in-latest-attacks/
[5] https://techcrunch.com/2023/10/05/qakbot-hackers-are-still-spamming-victims-despite-fbi-takedown/
[6] https://www.darkreading.com/attacks-breaches/qakbot-infections-continue-even-after-high-profile-raid
[7] https://www.sophos.com/en-us/press-office/press-releases/2022/03/the-qakbot-botnet-is-becoming-more-advanced-and-dangerous
[8] https://www.cybersecurity-review.com/news-october-2023/qakbot-affiliated-actors-distribute-ransom-knight-malware-despite-infrastructure-takedown/