Qakbot returns: FBI-led takedown lasts just 3 months The Register

Multiple sources are confirming the resurgence of Qakbot malware mere months after the FBI and other law enforcement agencies shuttered the Windows botnet.
Microsoft Threat Intelligence reckons a new Qakbot phishing campaign is active as of December 11 but attack attempts are currently low in volume.
The gang targets the hospitality sector, initially using phishing emails containing malicious PDF attachments that they've doctored to look like they come from the US Internal Revenue Service.
Germán Fernández, security researcher at CronUp, said the same PDF template was used by Pikabot operators just days earlier - Windows malware that shares many similarities with Qakbot.
Both are being associated with attacks from the group Proofpoint tracks as TA577.
Clicking the button in the PDF led to the download and installation of Qakbot, which Microsoft said may have been an updated payload. The previously unseen version, 0x500, was generated on December 11, according to its analysis.
The team at Zscaler ThreatLabz confirmed that the payload was updated, and the new version has a 64-bit architecture, uses AES for network encryption, and sends POST requests to path /teorema505.
They added that the new Qakbot activity goes back to November 28, roughly two weeks further than December 11 - the date Microsoft first spotted it.
August saw the conclusion of Operation Duck Hunt with what authorities said at the time was a takedown of Qakbot, seizing its infrastructure and 20 of its operators' crypto wallets.
The operation was also supported by authorities in the UK, France, Germany, the Netherlands, and Latvia, but didn't result in any arrests.
Dan Schiappa, chief product officer at security shop Arctic Wolf, said while praise should certainly go to the authorities that worked to bring down the original botnet, Qakbot's resurgence illustrates the difficulty in tackling cybercrime, especially without making arrests.
Qakbot's revival may not come as a surprise to some, since Emotet was also taken down by an internationally co-ordinated law enforcement operation in 2021 but resurfaced again later that year.
At its height, Emotet controlled more than 1 million machines and was widely understood to be the most developed botnet in the world.
Emotet's return was met with concern from the infosec industry at the time, and in less than a year after its takedown it was once again ranked the number-one malware in operation.
Since 2022, Emotet has tailed off, flittering between periods of activity and silence, and has laid dormant for months following a brief surge in March.
Speaking to The Register, Selena Larson, senior threat intelligence analyst at Proofpoint, said there is still evidence to show that Operation Duck Hunt's disruption has had an impact on Qakbot's operations, but it may mirror Emotet's downfall and take time for it to fully die off.


This Cyber News was published on www.theregister.com. Publication date: Wed, 20 Dec 2023 00:14:05 +0000


Cyber News related to Qakbot returns: FBI-led takedown lasts just 3 months The Register

Qakbot returns: FBI-led takedown lasts just 3 months The Register - Multiple sources are confirming the resurgence of Qakbot malware mere months after the FBI and other law enforcement agencies shuttered the Windows botnet. Microsoft Threat Intelligence reckons a new Qakbot phishing campaign is active as of December ...
11 months ago Theregister.com
Qakbot Sightings Confirm Law Enforcement Takedown Was Only a Setback - In recent days, several security vendors have reported seeing the malware being distributed via phishing emails that target organizations in the hospitality sector. For the moment, the email volumes appear to be relatively low. Given the tenacity ...
11 months ago Darkreading.com
New QakBot phishing campaign appears, months after FBI takedown - Months after an international law enforcement operation dismantled the notorious QakBot botnet, a new phishing campaign distributing the same malicious payload has been discovered. QakBot was one of the most deployed malware loaders in 2023 until an ...
11 months ago Packetstormsecurity.com
Qbot malware returns in campaign targeting hospitality industry - The QakBot malware is once again being distributed in phishing campaigns after the botnet was disrupted by law enforcement over the summer. In August, a multinational law enforcement operation called Operation Duck Hunt accessed the QakBot admin's ...
11 months ago Bleepingcomputer.com
US Congress Report Calls for Privacy Reforms After FBI Surveillance 'Abuses' - The FBI and the Biden administration at large have lobbied Congress to reauthorize the 702 program as is, ignoring calls for reform that have grown louder since the beginning of the year, manifesting this month in the form of a comprehensive privacy ...
11 months ago Wired.com
Qakbot returns in fresh assault on hospitality sector - The Qakbot botnet has been disrupted this summer, but cybercriminals are not ready to give up on the malware: Microsoft's threat analysts have spotted a new phishing campaign attempting to deliver it to targets in the hospitality industry. Qakbot, ...
11 months ago Helpnetsecurity.com
Malware Takedowns Show Progress, But Fight Against Cybercrime Not Over - Takedown of malware infrastructure by law enforcement has proven to have an impact, albeit limited, on cybercriminal activity, according to threat intelligence provider Recorded Future. The Emotet takedown, led by Europol and Eurojust in 2021. The ...
10 months ago Infosecurity-magazine.com
Hackers Using Weaponized PDF Files to Deliver Qakbot Malware - Qakbot is a sophisticated banking trojan and malware that primarily targets financial institutions. This sophisticated malware steals sensitive information such as:-. Not only that, even Microsoft has found small-scale phishing targeting the ...
10 months ago Gbhackers.com
FBI's latest defense of warrantless S. 702 snooping is China The Register - Analysis The FBI's latest PR salvo, as it fights to preserve its warrantless snooping powers on Americans via FISA Section 702, is more big talk of cyberattacks by the Chinese government. Wray cited an example he's used previously about how, last ...
9 months ago Go.theregister.com
The Top 5 Ransomware Takedowns - Learn about the recent achievements in the fight against ransomware as law enforcement agencies and cybersecurity organizations successfully disrupt operations, seize infrastructure, and safeguard victims from further attacks. Trigona ransomware, a ...
11 months ago Securityboulevard.com
RagnarLocker ransoms its last victim as cybercops seize site The Register - Law enforcement agencies have taken over RagnarLocker ransomware group's leak site in an internationally coordinated takedown. Among the agencies involved are Europol's European Cybercrime Centre, the US's Federal Bureau of Investigation, and ...
11 months ago Theregister.com
FBI: ALPHV ransomware raked in $300 million from over 1,000 victims - The ALPHV/BlackCat ransomware gang has made over $300 million in ransom payments from more than 1,000 victims worldwide as of September 2023, according to the Federal Bureau of Investigation. In the joint advisory published today in collaboration ...
11 months ago Bleepingcomputer.com
How the FBI seized BlackCat ransomware's servers - An unsealed FBI search warrant revealed how law enforcement hijacked the ALPHV/BlackCat ransomware operations websites and seized the associated URLs. Today, the US Department of Justice confirmed that they seized websites for the ALPHV ransomware ...
11 months ago Bleepingcomputer.com
More than $100 million in ransom paid to Black Basta gang over nearly 2 years - The Black Basta cybercrime gang has raked in at least $107 million in ransom payments since early 2022, according to research from blockchain security company Elliptic and Corvus Insurance. The group has infected more than 329 victim organizations ...
11 months ago Therecord.media
Leak Site BreachForums Springs Back to Life Weeks After FBI Takedown - Barely two weeks after the FBI and the US Department of Justice shut down BreachForums, the notorious data leak site appears to be back online, hawking personal and payment card data purportedly belonging to more than 500 million Live ...
5 months ago Darkreading.com
How the Hive Takedown Impacts Ransomware Prevention - Ransomware experts are widely praising the takedown of the notorious "Hive" criminal infrastructure, but the potential impacts it may have on preventing ransomware ongoing and into the future remains a matter of debate. ...
1 year ago Therecord.media
BlackCat Ransomware Raises Ante After FBI Disruption - The U.S. Federal Bureau of Investigation disclosed today that it infiltrated the world's second most prolific ransomware gang, a Russia-based criminal group known as ALPHV and BlackCat. The FBI said it seized the gang's darknet website, and released ...
11 months ago Krebsonsecurity.com
FBI Director: FISA 702 warrant requirement 'de facto ban' The Register - FBI director Christopher Wray made yet another impassioned plea to US lawmakers to kill a proposed warrant requirement for so-called "US person queries" of data collected via the Feds' favorite snooping tool, FISA Section 702. This controversial ...
11 months ago Theregister.com
Microsoft fixes Windows zero-day exploited in QakBot malware attacks - Microsoft has fixed a zero-day vulnerability exploited in attacks to deliver QakBot and other malware payloads on vulnerable Windows systems. Tracked as CVE-2024-30051, this privilege escalation bug is caused by a heap-based buffer overflow in the ...
6 months ago Bleepingcomputer.com
CVE-2013-0135 - Multiple SQL injection vulnerabilities in PHP Address Book 8.2.5 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) addressbook/register/delete_user.php, (2) addressbook/register/edit_user.php, or (3) ...
7 years ago
How the FBI Infiltrated the Hive Ransomware Gang Systems - The FBI has recently infiltrated the systems of the Hive ransomware gang, one of the most sophisticated and successful global cybercrime gangs. This infiltration is a major victory for the FBI in its fight against ransomware, cybercrime, and other ...
1 year ago Bleepingcomputer.com
CVE-2017-17713 - Trape before 2017-11-05 has SQL injection via the /nr red parameter, the /nr vId parameter, the /register User-Agent HTTP header, the /register country parameter, the /register countryCode parameter, the /register cpu parameter, the /register isp ...
6 years ago
CVE-2017-17714 - Trape before 2017-11-05 has XSS via the /nr red parameter, the /nr vId parameter, the /register User-Agent HTTP header, the /register country parameter, the /register countryCode parameter, the /register cpu parameter, the /register isp parameter, ...
6 years ago
FBI Details How Companies Can Delay SEC Cyber Disclosures - The FBI is outlining how its agents will handle requests from publicly traded companies that want to delay having to disclose a cybersecurity incident under the new controversial Securities and Exchange Commission rules that take effect next week. ...
11 months ago Securityboulevard.com
Feds Snarl ALPHV/BlackCat Ransomware Operation - After nearly two weeks of speculation, the US Department of Justice has claimed credit for the takedown of ALPHV/BlackCat leak sites and infiltrating the ransomware group's network. Experts speculate this could be a wrap for the ransomware group just ...
11 months ago Darkreading.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)