Regardless of the disruption to its infrastructure, the menace actors behind the QakBot malware have been linked to an ongoing phishing marketing campaign since early August 2023 that led to the supply of Ransom Knight (aka Cyclops) ransomware and Remcos RAT.
This means that “the legislation enforcement operation could not have impacted Qakbot operators’ spam supply infrastructure however fairly solely their command-and-control (C2) servers,” Cisco Talos researcher Guilherme Venere stated in a brand new report printed at the moment.
The exercise has been attributed with reasonable confidence by the cybersecurity agency to QakBot associates. There isn’t a proof up to now that the menace actors have resumed distributing the malware loader itself post-infrastructure takedown.
QakBot, additionally known as QBot and Pinkslipbot, originated as a Home windows-based banking trojan in 2007 and subsequently developed capabilities to ship extra payloads, together with ransomware. In late August 2023, the infamous malware operation was dealt a blow as a part of an operation named Duck Hunt.
The newest exercise, which commenced simply earlier than the takedown, begins with a malicious LNK file possible distributed by way of phishing emails that, when launched, detonates the an infection and in the end deploys the Ransom Knight ransomware, a latest rebrand of the Cyclops ransomware-as-a-service (RaaS) scheme.
The ZIP archives containing the LNK information have additionally been noticed incorporating Excel add-in (.XLL) information to propagate the Remcos RAT, which facilitates persistent backdoor entry to the endpoints.
A few of the file names getting used within the marketing campaign are written in Italian, which suggests the attackers are focusing on customers in that area.
“Although now we have not seen the menace actors distributing Qakbot post-infrastructure takedown, we assess the malware will possible proceed to pose a big menace shifting ahead,” Venere stated.
“Given the operators stay energetic, they could select to rebuild Qakbot infrastructure to totally resume their pre-takedown exercise.”
Cisco Talos instructed The Hacker Information that the assault chains are additionally getting used to ship different malware corresponding to DarkGate, MetaStealer, and RedLine Stealer.
“Figuring out the true scope is tough however as we have already seen the QakBot distribution community is extremely efficient and has the power to push massive scale campaigns,” Venere instructed the publication. “Now we have noticed phishing emails distributing these malware to Italian, German and English victims which exhibits the marketing campaign is widespread.”