QBot [1] [3], also known as QakBot, has resurfaced in a new phishing campaign targeting the hospitality industry [3]. This campaign, which began on December 11 [1], involves fraudulent emails appearing to be sent from an IRS employee. These emails contain a PDF attachment named GuestListVegas.pdf [2], which actually carries the QBot DLL payload [3]. The DLL has been updated to utilize AES encryption for more discreet operation. Despite previous beliefs of its elimination, QBot has returned and is attempting to establish a new botnet with a slightly modified version.
Description
According to credible threat monitoring services and malware analysts [3], QBot has made a comeback in a phishing campaign aimed at the hospitality industry. The campaign, which commenced on December 11, utilizes deceptive emails that masquerade as communications from an IRS employee. These emails include an attachment named GuestListVegas.pdf [2], which in reality harbors the QBot DLL payload. Notably, the DLL has been enhanced to employ AES encryption [3], enabling it to operate more covertly. Previously assumed to have been eradicated, QBot has resurfaced with the intention of creating a new botnet, albeit with minor modifications. Despite law enforcement efforts to dismantle the botnet, known as “Operation Duck Hunt,” only approximately 80% of its infrastructure was successfully removed, leaving room for potential rebuilding. Consequently, organizations must exercise caution when dealing with spam emails associated with QBot campaigns. Additionally, it is worth noting that some malicious actors have shifted their focus to employing DarkGate, a dangerous malware loader and info-stealer [3].
Conclusion
The resurgence of QBot in a phishing campaign targeting the hospitality industry has significant implications. Organizations within this sector must remain vigilant and exercise caution when handling suspicious emails associated with QBot campaigns. The updated QBot DLL, utilizing AES encryption [3], poses a greater challenge for detection and mitigation. Furthermore, the partial success of “Operation Duck Hunt” in dismantling the botnet highlights the need for continued efforts to combat this threat. Additionally, the emergence of DarkGate as an alternative malware loader and info-stealer underscores the evolving tactics employed by malicious actors. It is imperative for organizations to stay informed and implement robust security measures to protect against these threats in the future.
References
[1] https://thehackernews.com/2023/12/qakbot-malware-resurfaces-with-new.html
[2] https://www.helpnetsecurity.com/2023/12/18/qakbot-phishing-hospitality-industry/
[3] https://restoreprivacy.com/qbot-malware-back-to-action-following-law-enforcement-disruption/
