A brand new wave of phishing messages distributing the QakBot malware has been noticed, greater than three months after a regulation enforcement effort noticed its infrastructure dismantled by infiltrating its command-and-control (C2) community.
Microsoft, which made the invention, described it as a low-volume marketing campaign that started on December 11, 2023, and focused the hospitality business.
“Targets obtained a PDF from a person masquerading as an IRS worker,” the tech big mentioned in a collection of posts shared on X (previously Twitter).
“The PDF contained a URL that downloads a digitally signed Home windows Installer (.msi). Executing the MSI led to Qakbot being invoked utilizing export ‘hvsi’ execution of an embedded DLL.”
Microsoft mentioned that the payload was generated the identical day the marketing campaign began and that it is configured with the beforehand unseen model 0x500.
Zscaler ThreatLabz, in a publish shared on X, described the resurfaced QakBot as a 64-bit binary that makes use of AES for community encryption and sends POST requests to the trail /teorema505.
QakBot, additionally known as QBot and Pinkslipbot, was disrupted as a part of a coordinated effort known as Operation Duck Hunt after the authorities managed to realize entry to its infrastructure and instructed the contaminated computer systems to obtain an uninstaller file to render the malware ineffective.
Historically distributed by way of spam electronic mail messages containing malicious attachments or hyperlinks, QakBot is able to harvesting delicate data in addition to delivering further malware, together with ransomware.
In October 2023, Cisco Talos revealed that QakBot associates have been leveraging phishing lures to ship a mixture of ransomware, distant entry trojans, and stealer malware.
The return of QakBot mirrors that of Emotet, which additionally resurfaced in late 2021 months after it was dismantled by regulation enforcement and has remained an enduring risk, albeit at a decrease degree.
Whereas it stays to be seen if the malware will return to its former glory, the resilience of such botnets underscores the necessity for organizations to keep away from falling sufferer to spam emails utilized in Emotet and QakBot campaigns.
“It isn’t uncommon to see malware return after regulation enforcement actions, the 2 most distinguished being TrickBot and Emotet,” Selena Larson, senior risk intelligence analyst at Proofpoint, mentioned in a press release shared with The Hacker Information.
“Whereas the return of Qbot to electronic mail risk information is notable, it has not been noticed on the similar quantity and scale of earlier campaigns. The regulation enforcement disruption seems to nonetheless be having an influence on Qbot’s operations.”
