A new wave of phishing emails spreads QakBot More than three months later, law enforcement dismantled its infrastructure by penetrating its command and control (C2) network.
Microsoft, which discovered the situation, described it as a small-scale campaign that began on December 11, 2023, and targeted the hotel industry.
“Targets received a PDF sent by a user pretending to be an IRS employee,” Tech Giant explain In a series of posts shared on X (formerly Twitter).
“The PDF contains a URL to download a digitally signed Windows Installer (.msi). Executing the MSI results in a call to Qakbot using the exported ‘hvsi’ execution of the embedded DLL.”
Microsoft said the payload was generated the same day the campaign began and configured a previously unseen version 0x500.
Zscaler ThreatLabz, at postal Shared on
QakBot (also known as QBot and Pinkslipbot) was compromised as part of a coordinated operation called Operation Duck Hunt after authorities managed to gain access to its infrastructure and instruct infected computers to download an uninstaller file to disable the malware. .
Traditionally distributed via spam emails containing malicious attachments or hyperlinks, QakBot is capable of collecting sensitive information and spreading other malware, including ransomware.
In October 2023, Cisco Talos revealed that QakBot affiliates were using phishing lures to deliver a combination of ransomware, remote access trojans, and stealth malware.
The return of QakBot mirrors that of Emotet, which also resurfaced in late 2021 after being taken down by law enforcement, albeit to a lesser extent, but remains a persistent threat.
While it remains to be seen whether the malware will return to its former glory, the resilience of this type of botnet highlights the need for organizations to avoid falling victim to the spam used in Emotet and QakBot campaigns.
Selena Larson, senior threat intelligence analyst at Proofpoint, said in a statement shared with The Hacker News: “It is not uncommon for malware to resurgence following law enforcement actions, the two most notable of which are TrickBot And Emotet.”
“While Qbot’s reacquisition of email threat data is notable, it is not at the same volume and scale as previous activity. The law enforcement disruption appears to still be having an impact on Qbot’s operations.”