Evidence suggests that the notorious Qakbot malware gang continued to stage cyberattacks in August, even as authorities grasped Its‘ Infrastructure and dismantled the formidable botnet he had built over several years.
Before the FBI operation that took down the botnet, QakBot (also known as “QBot”, “QuackBot” and “Pinkslipbot”) was the most common malware loader seen by ReliaQuestwhich represents 30% of all chargers observed by its researchers during the first seven months of this year.
While authorities seized infrastructure and financial assets belonging to the gang in August, researchers warned at the time that without arrests, key members of the gang risked regrouping and continuing to commit cybercrimes.
In a October 5 blog post Cisco Talos said it believes the gang distributed the Ransom Knight ransomware and Remcos backdoor via phishing emails in the weeks leading up to the takedown. The post states that while the multi-agency raid destroyed the group’s command and control servers, it did not impact their spam distribution infrastructure.
Cisco Talos linked Qakbot to the ransomware-as-a-service malware Ransom Knight by connecting metadata found in a malicious LNK file attached to a web lure used in the latest campaign with a machine used in previous Qakbot campaigns.
The research team had previously used metadata from the LNK file to identify and track threat actors, including those behind Qakbot. In August, the month of the takedown, he discovered an LNK file used in a Ransom Knight campaign that had been created on a machine previously identified as being used in Qakbot campaigns.
Cisco Talos said it found other similarities between the new campaign and some common traits used in Qakbot Group’s previous campaigns. These included “urgent financial matters themes” used in LNK file names that victims were tricked into opening – for example: “NOT-paid-Invoice-26-August.pdf.lnk”.
“We do not believe that the Qakbot threat actors are behind the ransomware-as-a-service (Ransom Knight) offering, but are simply customers of the service,” the researcher wrote in threats Guilherme Venere in his message.
“As this new operation has been running since early August 2023 and has not stopped after the takedown, we believe that the FBI operation did not affect Qakbot’s phishing email delivery infrastructure , but only its command and control servers.”
Authorities said the gang behind Qakbot had caused hundreds of millions of dollars in losses since its creation in 2008. One of the major achievements of the August takedown was the FBI’s ability to uninstall the malware by 700 000 computers, effectively dismantling the botnet.
However, Venere speculated that the gang might not remain a simple affiliated ransomware group for long, given the potentially lucrative opportunity they would have if they resurrected the Qakbot botnet.
“While we have not seen threat actors distribute Qakbot after the infrastructure was removed, we believe the malware will likely continue to pose a significant threat in the future,” he said.
“As operators remain active, they may choose to rebuild Qakbot’s infrastructure to fully resume their activity before the withdrawal.”