Multiple sources are confirming the resurgence of Qakbot malware mere months after the FBI and other law enforcement agencies shuttered the Windows botnet.
Microsoft Threat Intelligence reckons a new Qakbot phishing campaign is active as of December 11 but attack attempts are currently low in volume.
The gang targets the hospitality sector, initially using phishing emails containing malicious PDF attachments that they've doctored to look like they come from the US Internal Revenue Service.
Germán Fernández, security researcher at CronUp, said the same PDF template was used by Pikabot operators just days earlier - Windows malware that shares many similarities with Qakbot.
Both are being associated with attacks from the group Proofpoint tracks as TA577.
Clicking the button in the PDF led to the download and installation of Qakbot, which Microsoft said may have been an updated payload. The previously unseen version, 0x500, was generated on December 11, according to its analysis.
The team at Zscaler ThreatLabz confirmed that the payload was updated, and the new version has a 64-bit architecture, uses AES for network encryption, and sends POST requests to path /teorema505.
They added that the new Qakbot activity goes back to November 28, roughly two weeks further than December 11 - the date Microsoft first spotted it.
August saw the conclusion of Operation Duck Hunt with what authorities said at the time was a takedown of Qakbot, seizing its infrastructure and 20 of its operators' crypto wallets.
The operation was also supported by authorities in the UK, France, Germany, the Netherlands, and Latvia, but didn't result in any arrests.
Dan Schiappa, chief product officer at security shop Arctic Wolf, said while praise should certainly go to the authorities that worked to bring down the original botnet, Qakbot's resurgence illustrates the difficulty in tackling cybercrime, especially without making arrests.
Qakbot's revival may not come as a surprise to some, since Emotet was also taken down by an internationally co-ordinated law enforcement operation in 2021 but resurfaced again later that year.
At its height, Emotet controlled more than 1 million machines and was widely understood to be the most developed botnet in the world.
Emotet's return was met with concern from the infosec industry at the time, and in less than a year after its takedown it was once again ranked the number-one malware in operation.
Since 2022, Emotet has tailed off, flittering between periods of activity and silence, and has laid dormant for months following a brief surge in March.
Speaking to The Register, Selena Larson, senior threat intelligence analyst at Proofpoint, said there is still evidence to show that Operation Duck Hunt's disruption has had an impact on Qakbot's operations, but it may mirror Emotet's downfall and take time for it to fully die off.
This Cyber News was published on www.theregister.com. Publication date: Wed, 20 Dec 2023 00:14:05 +0000