Despite the takedown of the Qakbot threat gang’s infrastructure by the FBI in late August, some of the group’s affiliates are still deploying ransomware through phishing campaigns, according to Cisco Talos.
Talos threat researchers found new evidence that a threat actor linked to the Qakbot malware loader (also known as QBot or Pinkslipbot) has been conducting a campaign since early August 2023 in which it has been distributing Ransom Knight ransomware and the Remcos backdoor via phishing emails.
Cisco shared the details of this new analysis in a blog post published on the Talos Intelligence website on October 5, 2023.
The FBI Operation Only Impacted Qakbot’s C2 Servers
Talos attributed this new campaign to Qakbot affiliates because the metadata found in LNK files used in the campaign matches the metadata from machines used in previous Qakbot campaigns.
This new analysis indicates that the law enforcement operation, dubbed Operation Duck Hunt, may have only impacted Qakbot operators’ command and control (C2) servers, not their spam delivery infrastructure.
This finding confirms what several cybersecurity experts told Infosecurity in early September, a few days after the FBI and international law enforcement operation.
Yelisey Bohuslavskiy, a partner at threat prevention provider Red Sense, explained why he thought Operation Duck Hunt only took down the infrastructure of the QakBot loader but not necessarily of QakBot the Trojan.
“QBot was developed as a trojan malware but later transitioned into a loader-as-a-service (LaaS). From details about the ‘Duck Hunt’ operation, it seems the segment of QBot’s infrastructure taken down was QB-crimeware rather than the ransomware/LaaS component.”
Alex Holland, a senior malware analyst at HP Wolf Security, agreed. “It’s unlikely this is the last we will see of QakBot,” he told Infosecurity.
What is Qakbot?
Qakbot is a modular banking trojan that has been active since 2008. It is primarily used to steal victims’ financial data, including browser information, keystrokes, and credentials. Qakbot can also be used to distribute other malware, such as ransomware.
“By late 2020, amidst the surge of ransomware, this loader function took precedence, propelling QBot to a leading position in the botnet ecosystem, allying them with REvil, Conti, and many others. Yet, its crimeware trojan functionality persisted,” Holland added.
In late August 2023, the FBI led a multinational law enforcement operation to dismantle QakBot.
The Bureau and its partners gained access to QakBot’s admin computers, which helped law enforcement map out the server infrastructure used in the botnet’s operation.
It then seized 52 servers, which it said would “permanently dismantle” the botnet, and redirected QakBot’s traffic to servers controlled by the Bureau, pointing victims to download an uninstaller.
The US Department of Justice (DoJ) said the FBI had identified over 700,000 infected computers worldwide, including more than 200,000 in the US.
The DoJ also announced it seized over $8.6m in cryptocurrency from the QakBot cybercriminal organization. This money will be returned to the victims.