Irrespective of the disruption to its infrastructure, the threat actors powering the QakBot malware have been linked to an ongoing phishing marketing campaign given that early August 2023 that led to the shipping and delivery of Ransom Knight (aka Cyclops) ransomware and Remcos RAT.
This signifies that “the law enforcement operation might not have impacted Qakbot operators’ spam delivery infrastructure but fairly only their command-and-control (C2) servers,” Cisco Talos researcher Guilherme Venere said in a new report revealed right now.
The activity has been attributed with moderate assurance by the cybersecurity agency to QakBot affiliate marketers. There is no evidence to day that the danger actors have resumed distributing the malware loader itself put up-infrastructure takedown.
QakBot, also known as QBot and Pinkslipbot, originated as a Windows-dependent banking trojan in 2007 and subsequently designed capabilities to deliver further payloads, together with ransomware. In late August 2023, the notorious malware procedure was dealt a blow as component of an procedure named Duck Hunt.
The newest exercise, which commenced just in advance of the takedown, commences with a destructive LNK file possible dispersed via phishing e-mails that, when released, detonates the an infection and in the long run deploys the Ransom Knight ransomware, a latest rebrand of the Cyclops ransomware-as-a-provider (RaaS) plan.
The ZIP archives that contains the LNK files have also been observed incorporating Excel increase-in (.XLL) documents to propagate the Remcos RAT, which facilitates persistent backdoor accessibility to the endpoints.
Some of the file names getting applied in the marketing campaign are created in Italian, which indicates the attackers are focusing on customers in that area.
“Although we have not observed the menace actors distributing Qakbot write-up-infrastructure takedown, we evaluate the malware will likely keep on to pose a major menace going ahead,” Venere claimed.
“Given the operators continue to be energetic, they may pick out to rebuild Qakbot infrastructure to entirely resume their pre-takedown activity.”
Observed this write-up interesting? Stick to us on Twitter and LinkedIn to study more distinctive content material we post.
Some pieces of this write-up are sourced from: