Just over three months after the FBI announced the dismantling of the Qakbot malware group, also known as Qbot, Microsoft researchers have identified that the botnet is being distributed again in phishing campaigns.
At the end of August, a multinational police operation called Operation Duck Hunt accessed the QakBot administrator’s servers and mapped the group’s infrastructure. After gaining access to the botnet’s encryption keys used for malware communication, the FBI was able to “hijack” it to send a custom Windows DLL (Dynamic-link library) module to infected devices. This DLL executed a command that effectively stopped the botnet.
Although a phishing service that was used to distribute QakBot has been active since its interruption, there was no record of the malware being distributed until last Monday, the 11th, when the new phishing campaign began.
Microsoft is now warning that QakBot is being distributed again in a phishing campaign pretending to be an email from an IRS employee. The software maker says it first observed the phishing attack on Monday in a small campaign targeting the hospitality sector.
Attached to the email is a PDF file pretending to be a guest list that says “Document preview is not available” and then prompts the user to download the PDF to view it properly. However, upon clicking the download button, the recipient downloads an MSI (Microsoft Installer) file which, when installed, launches the Qakbot malware DLL into memory.
Microsoft says the DLL was generated on Monday the 11th, the same day the phishing campaign began, and uses the code ‘tchk06’ and command and control (C&C) servers. “Most notably, the delivered Qakbot payload was configured with the unreleased version 0x500,” Microsoft tweeted, indicating the continued development of the malware.
While it is too early to say whether Qbot will take on the previous scale, administrators and users need to be aware of the response chain phishing emails that are commonly used to distribute the malware.
QakBot, also known as Qbot, began as a banking trojan in 2008, with malware developers using it to steal banking credentials, website cookies and credit cards to commit financial fraud. Over time, malware has evolved into a malware delivery service, partnering with other threat actors to provide initial access to networks to carry out ransomware attacks, espionage, or data theft.
Qakbot is distributed through phishing campaigns that utilize a variety of lures, including reply chain email attacks, which is when threat actors use a stolen email thread and then respond to it with its own message and a malicious document attached. These emails often include malicious documents as attachments or links to download malicious files that install Qakbot malware on a user’s device.
In the past, Qakbot has partnered with several ransomware operations, including Conti, Prolock, Egregor, REvil, RansomExx, MegaCortex and, more recently, Black Basta and ALPHV/BlackCat.
Source: CisoAdvisor
