Attackers are testing a new version with some changes.
QakBot malware is once again being used in phishing campaigns, despite the successful operation of law enforcement agencies "Duck Hunt" to eliminate the QakBot infrastructure.
QakBot (Qbot) started out as a banking Trojan in 2008. Malware developers used it to steal bank credentials, website cookies, and credit cards for financial fraud purposes. Over time, QakBot evolved into a malware delivery service that collaborates with other cybercriminals to provide initial access to networks to conduct ransomware, espionage, or data theft attacks.
Note that at the end of August, US law enforcement agencies eliminated Qakbot, one of the most productive and long — lived botnet networks, as part of an international operation called "Duck Hunt". Agencies in seven countries not only disabled the Qakbot infrastructure, but also removed malware from infected devices.
However, after the temporary suspension of QakBot's activity, a new phishing campaign was launched. Microsoft announces the revival of QakBot, which is now distributed through phishing disguised as an email from an employee of the US Internal Revenue Service (IRS).
On December 11, Microsoft recorded a new wave of attacks targeting the hotel industry. As part of the campaign, attackers send out emails with an attached PDF file, which is presented as a guest list. However, when trying to download a document, users unwittingly download an MSI file that activates the malicious Qakbot DLL in the device's memory.
Phishing email with a fakePDF document
The DLL created on the day the phishing campaign started uses the unique code 'tchk06' and communicates with the management servers at 45.138.74.191:443 and 65.108.218.24:443. Cybersecurity researchers Pim Truerbach and Tommy Majar confirm that the distributed version of Qakbot is indeed new, although it contains only minor changes. Truerbach noted that the new version of the QakBot DLL uses the AES string decoding algorithm instead of XOR, which was used in previous versions, and contains several unusual errors, which indicates ongoing development.
Recalling the shutdown of the Emotet botnet infrastructure in 2021, Truerbach suggests that attackers may face difficulties in trying to revive their networks. However, in the context of QakBot, it is still too early to draw conclusions about its future impact and scope.
In October, the Cisco Talos team reported that the hackers behind the Qakbot botnet had started distributing ransomware. Despite disabling the Qakbot infrastructure, the hackers managed to maintain their distribution tools, which are used to distribute variants of the Cyclops / Ransom Knight ransomware, as well as the Remote Access Trojan (RAT) Remcos.
QakBot malware is once again being used in phishing campaigns, despite the successful operation of law enforcement agencies "Duck Hunt" to eliminate the QakBot infrastructure.
QakBot (Qbot) started out as a banking Trojan in 2008. Malware developers used it to steal bank credentials, website cookies, and credit cards for financial fraud purposes. Over time, QakBot evolved into a malware delivery service that collaborates with other cybercriminals to provide initial access to networks to conduct ransomware, espionage, or data theft attacks.
Note that at the end of August, US law enforcement agencies eliminated Qakbot, one of the most productive and long — lived botnet networks, as part of an international operation called "Duck Hunt". Agencies in seven countries not only disabled the Qakbot infrastructure, but also removed malware from infected devices.
However, after the temporary suspension of QakBot's activity, a new phishing campaign was launched. Microsoft announces the revival of QakBot, which is now distributed through phishing disguised as an email from an employee of the US Internal Revenue Service (IRS).
On December 11, Microsoft recorded a new wave of attacks targeting the hotel industry. As part of the campaign, attackers send out emails with an attached PDF file, which is presented as a guest list. However, when trying to download a document, users unwittingly download an MSI file that activates the malicious Qakbot DLL in the device's memory.
Phishing email with a fakePDF document
The DLL created on the day the phishing campaign started uses the unique code 'tchk06' and communicates with the management servers at 45.138.74.191:443 and 65.108.218.24:443. Cybersecurity researchers Pim Truerbach and Tommy Majar confirm that the distributed version of Qakbot is indeed new, although it contains only minor changes. Truerbach noted that the new version of the QakBot DLL uses the AES string decoding algorithm instead of XOR, which was used in previous versions, and contains several unusual errors, which indicates ongoing development.
Recalling the shutdown of the Emotet botnet infrastructure in 2021, Truerbach suggests that attackers may face difficulties in trying to revive their networks. However, in the context of QakBot, it is still too early to draw conclusions about its future impact and scope.
In October, the Cisco Talos team reported that the hackers behind the Qakbot botnet had started distributing ransomware. Despite disabling the Qakbot infrastructure, the hackers managed to maintain their distribution tools, which are used to distribute variants of the Cyclops / Ransom Knight ransomware, as well as the Remote Access Trojan (RAT) Remcos.
