Despite the FBI dismantling the Qakbot threat gang’s infrastructure in late August, some of the group’s affiliates continue to deploy ransomware via phishing campaigns, according to Cisco Talos.
Talos threat researchers have found new evidence that a malicious actor linked to the malware loader Qakbot (also known as QBot or Pinkslipbot) has been running a campaign since early August 2023 in which it distributed the ransomware Ransom Knight and the Remcos backdoor via phishing emails.
Cisco shared details of this new analysis in a blog post published on the Talos Intelligence site on October 5, 2023.
The FBI operation only impacted Qakbot’s C2 servers
Talos attributed this new campaign to Qakbot affiliates because the metadata found in the LNK files used in the campaign matches the metadata of the machines used in previous Qakbot campaigns.
This new analysis indicates that the law enforcement operation, dubbed Operation Duck Huntmay have only impacted the Qakbot operators’ command and control (C2) servers, and not their spam delivery infrastructure.
This observation confirms what several cybersecurity experts had declared to Infosecurity in early September, a few days after the operation by the FBI and international law enforcement.
Yelisey Bohuslavskiy, a partner at threat prevention vendor Red Sense, explained why he believed Operation Duck Hunt only removed the infrastructure of the QakBot loader, but not necessarily that of the QakBot Trojan.
“QBot was developed as a malicious Trojan, but later became a Loader as a Service (LaaS). Based on the details of the “Duck Hunt” operation, it appears that the segment of QBot’s infrastructure removed was QB crimeware rather than the ransomware/LaaS component.
Alex Holland, senior malware analyst at HP Wolf Security, agrees. “It’s unlikely this will be the last we see of QakBot,” he said. Information security.
Read more: FBI takedown of QakBot raises questions – ‘taken down’ or just a temporary setback?
What is Qakbot?
Qakbot is a modular banking Trojan that has been active since 2008. It is primarily used to steal victims’ financial data, including browser information, keystrokes, and credentials. Qakbot can also be used to distribute other malware, such as ransomware.
“In late 2020, amid the rise of ransomware, this loading feature took over, propelling QBot to a leading position in the botnet ecosystem, allying them with REvil, Conti and many others. Yet its criminal Trojan functionality persisted,” Holland added.
In late August 2023, the FBI led a multinational law enforcement operation to take down QakBot.
The Bureau and its partners gained access to QakBot’s administrative computers, which helped law enforcement map the server infrastructure used in the botnet’s operation.
It then seized 52 servers, which it claimed would “permanently dismantle” the botnet, and redirected QakBot traffic to servers controlled by the Bureau, tricking victims into downloading an uninstaller.
The US Department of Justice (DoJ) said the FBI has identified more than 700,000 infected computers worldwide, including more than 200,000 in the United States.
The DoJ also announced that it had seized more than $8.6 million in cryptocurrency from the cybercriminal organization QakBot. This money will be returned to the victims.