In a relentless campaign that began in early August 2023, the threat actors associated with the notorious Qakbot malware have been persistently distributing the Ransom Knight ransomware and the Remcos backdoor via targeted phishing emails.
Remarkably, this activity commenced before the FBI seized Qakbot infrastructure in late August, indicating that the law enforcement operation may have impacted the command and control (C2) servers, but not the spam delivery infrastructure.
Qakbot Affiliates Launches New Qakbot Malware Campaign
Attributed to Qakbot affiliates, this new campaign has been identified by Talos through an analysis of metadata found in LNK files, which aligns with the metadata previously observed in Qakbot campaigns denoted as “AA” and “BB.”
While the direct distribution of Qakbot itself has not been observed post-infrastructure takedown, the potential threat persists. This is rooted in the fact that the developers, having evaded arrest, remain operational, leaving open the possibility of rebuilding the Qakbot infrastructure.
The collaborative operation involving the FBI in August 2023 effectively dismantled Qakbot’s infrastructure and cryptocurrency holdings.
This prompted speculation within the security industry about the long-term impact on Qakbot affiliates, whether they were permanently disbanded or merely in a temporary hiatus while reconstructing their strategies.
Technical Details of the Qakbot Malware Campaign
Talos, with moderate confidence, asserts that the Qakbot threat actors remain active, as evidenced by their latest campaign involving the distribution of a variant of Cyclops/Ransom Knight ransomware alongside the Remcos backdoor.
This conclusion was drawn by tracing metadata in the LNK files used in the recent campaign back to machines employed in earlier Qakbot campaigns.
Back in January 2023, Talos introduced a methodology for identifying and tracking threat actors using metadata from LNK files.
This methodology successfully linked a machine utilized in the “AA” campaign to subsequent campaigns under the moniker “BB.”
Following this revelation, the original Qakbot actors associated with campaigns “AA,” “BB,” and “Obama” began erasing metadata in their LNK files to hinder detection and tracking efforts.
In August 2023, Talos discovered new LNK files originating from the same system, pointing towards a network share housing the Ransom Knight ransomware.
Further investigation revealed that these files initiated a command to access a remote network share via PowerShell, ultimately deploying Ransom Knight.
The saga of Qakbot malware campaigns
These LNK files, featuring filenames hinting at urgent financial matters, are indicative of the phishing tactics consistent with previous Qakbot campaigns.
Notably, some of these filenames are in Italian, suggesting a geographical targeting strategy. Enclosed within Zip archives, these LNK files are accompanied by XLL files, typically associated with Excel add-ins.
The XLL files, upon execution, deploy the Remcos backdoor, granting threat actors access to the infected system. Meanwhile, the LNK file facilitates the download of the Ransom Knight payload from a remote IP, representing an evolved version of the Cyclops ransomware.
It is important to note that while Qakbot threat actors may not be the originators of the ransomware service, they are customers of this illicit enterprise.
The FBI operation in August 2023 primarily impacted control servers, leaving email delivery mechanisms unaffected.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
