Article Details
Scrape Timestamp (UTC): 2023-10-05 13:20:36.096
Source: https://thehackernews.com/2023/10/qakbot-threat-actors-still-in-action.html
Original Article Text
Click to Toggle View
QakBot Threat Actors Still in Action, Using Ransom Knight and Remcos RAT in Latest Attacks. Despite the disruption to its infrastructure, the threat actors behind the QakBot malware have been linked to an ongoing phishing campaign since early August 2023 that led to the delivery of Ransom Knight (aka Cyclops) ransomware and Remcos RAT. This indicates that "the law enforcement operation may not have impacted Qakbot operators' spam delivery infrastructure but rather only their command-and-control (C2) servers," Cisco Talos researcher Guilherme Venere said in a new report published today. The activity has been attributed with moderate confidence by the cybersecurity firm to QakBot affiliates. There is no evidence to date that the threat actors have resumed distributing the malware loader itself post-infrastructure takedown. QakBot, also called QBot and Pinkslipbot, originated as a Windows-based banking trojan in 2007 and subsequently developed capabilities to deliver additional payloads, including ransomware. In late August 2023, the notorious malware operation was dealt a blow as part of an operation named Duck Hunt. The latest activity, which commenced just before the takedown, starts with a malicious LNK file likely distributed via phishing emails that, when launched, detonates the infection and ultimately deploys the Ransom Knight ransomware, a recent rebrand of the Cyclops ransomware-as-a-service (RaaS) scheme. The ZIP archives containing the LNK files have also been observed incorporating Excel add-in (.XLL) files to propagate the Remcos RAT, which facilitates persistent backdoor access to the endpoints. Some of the file names being used in the campaign are written in Italian, which suggests the attackers are targeting users in that region. "Though we have not seen the threat actors distributing Qakbot post-infrastructure takedown, we assess the malware will likely continue to pose a significant threat moving forward," Venere said. "Given the operators remain active, they may choose to rebuild Qakbot infrastructure to fully resume their pre-takedown activity."
Daily Brief Summary
QakBot threat actors, despite an earlier disruption to their infrastructure, have been linked to an ongoing phishing campaign since early August 2023. The campaign uses Ransom Knight (or Cyclops) ransomware and Remcos RAT.
Security researchers at Cisco Talos attribute the activity, with moderate confidence, to QakBot affiliates. However, they stated there is no evidence the threat actors have resumed distributing their malware loader following the infrastructure disruption.
QakBot, also known as QBot and Pinkslipbot, was originally a Windows-based banking trojan created in 2007. Over time, it evolved capabilities to deliver additional payloads, including ransomware.
The newest campaign starts with a malicious LNK file, likely distributed via phishing emails, which leads to an infection and ultimately deploys the Ransom Knight ransomware. Additionally, ZIP archives containing the malicious LNK files incorporate Excel add-in (.XLL) files to disseminate the Remcos RAT, for persistent backdoor access to the endpoints.
Evidence, such as certain campaign file names written in Italian, suggests the attackers may be focusing on users in Italy.
Researchers anticipate QakBot malware to remain a significant threat, due to the continued activity of its operators who might even rebuild the QakBot infrastructure for a full resumption of their earlier activity.