Recent reports suggest that the Qakbot malware group might still operate months after the FBI takedown in August 2023.
Researchers from the cybersecurity firm Cisco Talos found out that the threat actors have wasted no time and have initiated a new campaign, employing a variant of the Cyclops/Ransom Knight ransomware alongside the notorious Remcos backdoor. This report confirms that the group remains active and the FBI takedown had little or no effect on the group’s activities.
The researchers traced the metadata concealed within LNK files associated with this new campaign back to machines previously linked to Qakbot’s nefarious activities.
In January 2023, an analysis by the Talos researchers revealed how a machine initially involved in the ‘AA’ campaign, identified by its drive serial number as ‘0x2848e8a8’, had subsequently become part of the ‘BB’ botnet. This discovery prompted the primary Qakbot operatives to systematically erase metadata from their LNK files, aiming to evade detection and tracking.
In August 2023, Talos detected new LNK files from the same machine, ultimately leading to a network share for distributing the Ransom Knight ransomware variant. The intricate details of this operation involve initiating Explorer.exe and accessing a remote network share via WebDAV at an IP address 89[.]23[.]96[.]203 on port 80. This manoeuvre avoids detection during the remote execution of an executable file via PowerShell, classified under T1105 Ingress Tool Transfer.
The filenames attached to these deceptive LNK files, often related to urgent financial matters, suggest that they are being propagated through phishing emails — an approach that is consistent with Qakbot. The researchers found some filenames in Italian, hinting at a specific focus on users within that region.
These LNK files are concealed within Zip archives alongside an XLL file. Upon closer inspection, researchers found that these XLL files hid the Remcos backdoor, running in conjunction with the Ransom Knight ransomware, granting threat actors unrestricted access to the compromised machine post-infection.
The LNK file acts as a conduit for downloading an executable file from the remote IP address that contains the Ransom Knight payload, an updated iteration of the Cyclops ransomware-as-a-service.
As the entity behind the Cyclops announced this new variant in May 2023, researchers believe that Qakbot threat actors are clients of the service and not its creators.
“We do not believe the Qakbot threat actors are behind the ransomware-as-a-service offer but are simply customers of the service. As this new operation has been ongoing since the beginning of August 2023 and has not stopped after the takedown, we believe the FBI operation didn’t affect Qakbot’s phishing email delivery infrastructure but only its command and control servers”, said Talos researcher Guilherme Venere.
In the News: Pixel 8 and 8 Pro vs Pixel 7 and 7 Pro: Should you upgrade?
