A brand new wave of phishing messages distributing the QakBot malware has been noticed, greater than three months after a regulation enforcement effort noticed its infrastructure dismantled by infiltrating its command-and-control (C2) community.
Microsoft, which made the invention, described it as a low-volume marketing campaign that started on December 11, 2023, and focused the hospitality trade.
“Targets obtained a PDF from a person masquerading as an IRS worker,” the tech big stated in a collection of posts shared on X (previously Twitter).
“The PDF contained a URL that downloads a digitally signed Home windows Installer (.msi). Executing the MSI led to Qakbot being invoked utilizing export ‘hvsi’ execution of an embedded DLL.”
Beat AI-Powered Threats with Zero Belief – Webinar for Safety Professionals
Conventional safety measures will not reduce it in right now’s world. It is time for Zero Belief Safety. Safe your information like by no means earlier than.
Microsoft stated that the payload was generated the identical day the marketing campaign began and that it is configured with the beforehand unseen model 0x500.
Zscaler ThreatLabz, in a put up shared on X, described the resurfaced QakBot as a 64-bit binary that makes use of AES for community encryption and sends POST requests to the trail /teorema505.
QakBot, additionally referred to as QBot and Pinkslipbot, was disrupted as a part of a coordinated effort referred to as Operation Duck Hunt after the authorities managed to realize entry to its infrastructure and instructed the contaminated computer systems to obtain an uninstaller file to render the malware ineffective.
Historically distributed by way of spam e-mail messages containing malicious attachments or hyperlinks, QakBot is able to harvesting delicate data in addition to delivering further malware, together with ransomware.
In October 2023, Cisco Talos revealed that QakBot associates had been leveraging phishing lures to ship a mixture of ransomware, distant entry trojans, and stealer malware.
The return of QakBot mirrors that of Emotet, which additionally resurfaced in late 2021 months after it was dismantled by regulation enforcement and has remained an enduring risk, albeit at a decrease stage.
Whereas it stays to be seen if the malware will return to its former glory, the resilience of such botnets underscores the necessity for organizations to keep away from falling sufferer to spam emails utilized in Emotet and QakBot campaigns.