New QakBot phishing campaign appears, months after FBI takedown

Months after an international law enforcement operation dismantled the notorious QakBot botnet, a new phishing campaign distributing the same malicious payload has been discovered.
QakBot was one of the most deployed malware loaders in 2023 until an FBI-led takedown in August took the operation offline and untethered 700,000 compromised machines from the botnet.
In a Dec. 15 posted on X, Microsoft's Threat Intelligence team said they had identified a new QakBot phishing campaign.
Targets of the new campaign received an email purporting to be from a U.S. Internal Revenue Service employee.
The email included a PDF attachment containing a URL that downloaded a digitally signed Windows Installer file.
If victims executed the MSI file, it launched QakBot malware.
The payload was configured with a previously unseen version of the malware, 0x500, the Microsoft researchers said.
While taking out such a major botnet that had taken years to build was considered a significant victory, researchers warned at the time that because arrests were not made, there was a possibility the threat actors responsible for QakBot could regroup.
In October, Cisco Talos said it believed the same gang had been distributing Ransom Knight ransomware and the Remcos backdoor via phishing emails in the weeks prior to the QakBot takedown.
Talos researchers said while the August raid took down the group's command-and-control servers, it had not impacted their spam delivery infrastructure.
QakBot was first observed in 2008 and has been regularly updated over the years.
Once it has compromised a victim's computer, the malware can deliver additional malicious payloads, including ransomware, to the infected system.
It has been used as an initial means of infection by several ransomware groups including Conti and Black Basta.
Qakbot was leveraged in the 2021 attack against meat processor JBS, which disrupted its production facilities and forced an $11 million ransom payment.
To untether the 700,000 compromised computers from the botnet in August, the FBI redirected Qakbot traffic to and through servers controlled by the agency.
The infected machines - located in the U.S. and around the world - were then instructed to download a file created by law enforcement that uninstalled the malware.


This Cyber News was published on packetstormsecurity.com. Publication date: Tue, 19 Dec 2023 15:13:05 +0000


Cyber News related to New QakBot phishing campaign appears, months after FBI takedown

New QakBot phishing campaign appears, months after FBI takedown - Months after an international law enforcement operation dismantled the notorious QakBot botnet, a new phishing campaign distributing the same malicious payload has been discovered. QakBot was one of the most deployed malware loaders in 2023 until an ...
1 year ago Packetstormsecurity.com
Qakbot Sightings Confirm Law Enforcement Takedown Was Only a Setback - In recent days, several security vendors have reported seeing the malware being distributed via phishing emails that target organizations in the hospitality sector. For the moment, the email volumes appear to be relatively low. Given the tenacity ...
1 year ago Darkreading.com
Qbot malware returns in campaign targeting hospitality industry - The QakBot malware is once again being distributed in phishing campaigns after the botnet was disrupted by law enforcement over the summer. In August, a multinational law enforcement operation called Operation Duck Hunt accessed the QakBot admin's ...
1 year ago Bleepingcomputer.com
Qakbot returns: FBI-led takedown lasts just 3 months The Register - Multiple sources are confirming the resurgence of Qakbot malware mere months after the FBI and other law enforcement agencies shuttered the Windows botnet. Microsoft Threat Intelligence reckons a new Qakbot phishing campaign is active as of December ...
1 year ago Theregister.com
Qakbot returns in fresh assault on hospitality sector - The Qakbot botnet has been disrupted this summer, but cybercriminals are not ready to give up on the malware: Microsoft's threat analysts have spotted a new phishing campaign attempting to deliver it to targets in the hospitality industry. Qakbot, ...
1 year ago Helpnetsecurity.com
Hackers Using Weaponized PDF Files to Deliver Qakbot Malware - Qakbot is a sophisticated banking trojan and malware that primarily targets financial institutions. This sophisticated malware steals sensitive information such as:-. Not only that, even Microsoft has found small-scale phishing targeting the ...
11 months ago Gbhackers.com
US Congress Report Calls for Privacy Reforms After FBI Surveillance 'Abuses' - The FBI and the Biden administration at large have lobbied Congress to reauthorize the 702 program as is, ignoring calls for reform that have grown louder since the beginning of the year, manifesting this month in the form of a comprehensive privacy ...
1 year ago Wired.com
Spear Phishing vs Phishing: What Are The Main Differences? - Almost half of them used phishing to obtain the passwords of users. Highly targeted phishing campaigns against specific individuals or types of individuals are known as spear phishing. It's important to be able to spot phishing in general. For ...
10 months ago Techrepublic.com
What SOCs Need to Know About Water Dybbuk - According to the Federal Bureau of Investigation, BEC costs victims more money than ransomware, with an estimated US$2.4 billion being lost to BEC in the US in 2021. Recently, BEC scammers have been using stolen accounts from legitimate Simple Mail ...
1 year ago Trendmicro.com
Malware Takedowns Show Progress, But Fight Against Cybercrime Not Over - Takedown of malware infrastructure by law enforcement has proven to have an impact, albeit limited, on cybercriminal activity, according to threat intelligence provider Recorded Future. The Emotet takedown, led by Europol and Eurojust in 2021. The ...
11 months ago Infosecurity-magazine.com
FBI: ALPHV ransomware raked in $300 million from over 1,000 victims - The ALPHV/BlackCat ransomware gang has made over $300 million in ransom payments from more than 1,000 victims worldwide as of September 2023, according to the Federal Bureau of Investigation. In the joint advisory published today in collaboration ...
1 year ago Bleepingcomputer.com
Pikabot Malware Surfaces As Qakbot Replacement for Black Basta Attacks - A threat actor associated with Black Basta ransomware attacks has been wielding a new loader similar to the notoriously hard-to-kill Qakbot, in a widespread phishing campaign aimed at gaining entry to organization networks for further malicious ...
11 months ago Darkreading.com
Flipping the BEC funnel: Phishing in the age of GenAI - For years, phishing was just a numbers game: A malicious actor would slap together an extremely generic email and fire it out to thousands of recipients in the hope that a few might take the bait. Common among these new techniques was a shift towards ...
11 months ago Helpnetsecurity.com
How the FBI seized BlackCat ransomware's servers - An unsealed FBI search warrant revealed how law enforcement hijacked the ALPHV/BlackCat ransomware operations websites and seized the associated URLs. Today, the US Department of Justice confirmed that they seized websites for the ALPHV ransomware ...
1 year ago Bleepingcomputer.com
The Top 5 Ransomware Takedowns - Learn about the recent achievements in the fight against ransomware as law enforcement agencies and cybersecurity organizations successfully disrupt operations, seize infrastructure, and safeguard victims from further attacks. Trigona ransomware, a ...
1 year ago Securityboulevard.com
FBI's latest defense of warrantless S. 702 snooping is China The Register - Analysis The FBI's latest PR salvo, as it fights to preserve its warrantless snooping powers on Americans via FISA Section 702, is more big talk of cyberattacks by the Chinese government. Wray cited an example he's used previously about how, last ...
10 months ago Go.theregister.com
More than $100 million in ransom paid to Black Basta gang over nearly 2 years - The Black Basta cybercrime gang has raked in at least $107 million in ransom payments since early 2022, according to research from blockchain security company Elliptic and Corvus Insurance. The group has infected more than 329 victim organizations ...
1 year ago Therecord.media
Leak Site BreachForums Springs Back to Life Weeks After FBI Takedown - Barely two weeks after the FBI and the US Department of Justice shut down BreachForums, the notorious data leak site appears to be back online, hawking personal and payment card data purportedly belonging to more than 500 million Live ...
6 months ago Darkreading.com
Russian Cyberattackers Launch Multiphase PsyOps Campaign - Russia-linked threat actors employed both PysOps and spear-phishing to target users over several months at the end of 2023 in a multiwave campaign aimed at spreading misinformation in Ukraine and stealing Microsoft 365 credentials across Europe. The ...
9 months ago Darkreading.com
RagnarLocker ransoms its last victim as cybercops seize site The Register - Law enforcement agencies have taken over RagnarLocker ransomware group's leak site in an internationally coordinated takedown. Among the agencies involved are Europol's European Cybercrime Centre, the US's Federal Bureau of Investigation, and ...
1 year ago Theregister.com
Phishing Campaign Exploits Open Redirection Vulnerability In 'Indeed.com' - Phishing remains one of the most prevalent challenges facing organisations, with more than three billion malicious emails estimated to be sent around the world every day. Owing to the prevalence of the problem, Verizon's 2023 Data Breach ...
9 months ago Cyberdefensemagazine.com
Microsoft fixes Windows zero-day exploited in QakBot malware attacks - Microsoft has fixed a zero-day vulnerability exploited in attacks to deliver QakBot and other malware payloads on vulnerable Windows systems. Tracked as CVE-2024-30051, this privilege escalation bug is caused by a heap-based buffer overflow in the ...
7 months ago Bleepingcomputer.com
USPS Delivery Phishing Scam Exploits SaaS Providers to Steal Data - A new USPS Delivery Phishing Scam has surfaced, in which scammers are exploiting Freemium Dynamic DNS and SaaS Providers to steal victims' login credentials and other data. Cybersecurity researchers at Bloster AI have uncovered a new USPS Delivery ...
1 year ago Hackread.com
FBI Director: FISA 702 warrant requirement 'de facto ban' The Register - FBI director Christopher Wray made yet another impassioned plea to US lawmakers to kill a proposed warrant requirement for so-called "US person queries" of data collected via the Feds' favorite snooping tool, FISA Section 702. This controversial ...
1 year ago Theregister.com
How the Hive Takedown Impacts Ransomware Prevention - Ransomware experts are widely praising the takedown of the notorious "Hive" criminal infrastructure, but the potential impacts it may have on preventing ransomware ongoing and into the future remains a matter of debate. ...
1 year ago Therecord.media

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)