Qakbot Sightings Confirm Law Enforcement Takedown Was Only a Setback

In recent days, several security vendors have reported seeing the malware being distributed via phishing emails that target organizations in the hospitality sector.
For the moment, the email volumes appear to be relatively low.
Given the tenacity that Qakbot operators have shown in the past, it likely won't be long before the volume picks up again.
Low Volumes - So Far Microsoft's threat intelligence group has estimated the new campaign began Dec. 11, based on a timestamp in the payload used in the recent attacks.
Targets have received emails with a PDF attachment from a user purporting to be an employee at the IRS, the company said in multiple posts on X, the platform formerly known as Twitter.
In a post on X, the company identified the new version as 64-bit, using AES for network encryption and sending POST requests to a specific path on compromised systems.
Proofpoint confirmed similar sightings a day later while also noting that the PDFs in the current campaign have been distributed since at least Nov. 28.
Long-Prevalent Threat Qakbot is particularly noxious malware that has been around since at least 2007.
Its authors originally used the malware as a banking Trojan but in recent years pivoted to a malware-as-a-service model.
Threat actors typically have distributed the malware via phishing emails, and infected systems usually become part of a bigger botnet.
At the time of the takedown in August, law enforcement identified as many as 700,000 Qakbot-infected systems worldwide, some 200,000 of which were located in the US. Qakbot-affiliated actors have increasingly used it as a vehicle to drop other malware, most notably Cobalt Strike, Brute Ratel, and a slew of ransomware.
In many instances, initial access brokers have used Qakbot to gain access to a target network and later sold that access to other threat actors.
Takedown Only Slowed Qakbot The recent sightings of Qakbot malware appear to confirm what some vendors have reported in recent months: Law enforcement's takedown had less of an impact on Quakbot actors than generally perceived.
In October threat hunters at Cisco Talos reported that Qakbot-affiliated actors were continuing to distribute the Remcos backdoor and Ransom Knight ransomware in the weeks and months following the FBI's seizure of Qakbot infrastructure.
Talos security researcher Guilherme Venere saw that as a sign that August's law enforcement operation may have taken out only Qakbot's command-and-control servers and not its spam-delivery mechanisms.
Security firm Lumu said it counted a total of 1,581 attempted attacks on its customers in September that were attributable to Qakbot.
In subsequent months, the activity has remained at more or less the same level, according to the company.
Most attacks have targeted organizations in finance, manufacturing, education, and government sectors.
The threat group's continued distribution of the malware indicates that it managed to evade significant consequences, Lumu CEO Ricardo Villadiego says.
The group's ability to continue operating primarily hinges on the economic feasibility, technical capabilities, and ease of establishing new infrastructure, he notes.


This Cyber News was published on www.darkreading.com. Publication date: Tue, 19 Dec 2023 23:15:19 +0000


Cyber News related to Qakbot Sightings Confirm Law Enforcement Takedown Was Only a Setback

Qakbot Sightings Confirm Law Enforcement Takedown Was Only a Setback - In recent days, several security vendors have reported seeing the malware being distributed via phishing emails that target organizations in the hospitality sector. For the moment, the email volumes appear to be relatively low. Given the tenacity ...
1 year ago Darkreading.com
New QakBot phishing campaign appears, months after FBI takedown - Months after an international law enforcement operation dismantled the notorious QakBot botnet, a new phishing campaign distributing the same malicious payload has been discovered. QakBot was one of the most deployed malware loaders in 2023 until an ...
1 year ago Packetstormsecurity.com
Qakbot returns: FBI-led takedown lasts just 3 months The Register - Multiple sources are confirming the resurgence of Qakbot malware mere months after the FBI and other law enforcement agencies shuttered the Windows botnet. Microsoft Threat Intelligence reckons a new Qakbot phishing campaign is active as of December ...
1 year ago Theregister.com
Qbot malware returns in campaign targeting hospitality industry - The QakBot malware is once again being distributed in phishing campaigns after the botnet was disrupted by law enforcement over the summer. In August, a multinational law enforcement operation called Operation Duck Hunt accessed the QakBot admin's ...
1 year ago Bleepingcomputer.com
The law enforcement operations targeting cybercrime in 2023 - In 2023, we saw numerous law enforcement operations targeting cybercrime operations, including cryptocurrency scams, phishing attacks, credential theft, malware development, and ransomware attacks. While some of these operations were more successful ...
11 months ago Bleepingcomputer.com
The Top 5 Ransomware Takedowns - Learn about the recent achievements in the fight against ransomware as law enforcement agencies and cybersecurity organizations successfully disrupt operations, seize infrastructure, and safeguard victims from further attacks. Trigona ransomware, a ...
1 year ago Securityboulevard.com
Malware Takedowns Show Progress, But Fight Against Cybercrime Not Over - Takedown of malware infrastructure by law enforcement has proven to have an impact, albeit limited, on cybercriminal activity, according to threat intelligence provider Recorded Future. The Emotet takedown, led by Europol and Eurojust in 2021. The ...
11 months ago Infosecurity-magazine.com
Law Firms and Legal Departments Get Singled Out For Cyberattacks - Cyberattackers are doubling down on their attacks against law firms and corporate legal departments, moving beyond their historical activity of hacking and leaking secrets to targeting the sector with financial attacks, such as ransomware and ...
1 year ago Darkreading.com
How the Hive Takedown Impacts Ransomware Prevention - Ransomware experts are widely praising the takedown of the notorious "Hive" criminal infrastructure, but the potential impacts it may have on preventing ransomware ongoing and into the future remains a matter of debate. ...
1 year ago Therecord.media
Law enforcement conducts 'largest ever' botnet takedown - In the latest high-profile law enforcement action against cybercrime, agencies disrupted several notorious botnets and malware droppers widely used in ransomware attacks. Europol on Thursday announced that an international law enforcement action, ...
6 months ago Techtarget.com
Hackers Using Weaponized PDF Files to Deliver Qakbot Malware - Qakbot is a sophisticated banking trojan and malware that primarily targets financial institutions. This sophisticated malware steals sensitive information such as:-. Not only that, even Microsoft has found small-scale phishing targeting the ...
11 months ago Gbhackers.com
Qakbot returns in fresh assault on hospitality sector - The Qakbot botnet has been disrupted this summer, but cybercriminals are not ready to give up on the malware: Microsoft's threat analysts have spotted a new phishing campaign attempting to deliver it to targets in the hospitality industry. Qakbot, ...
1 year ago Helpnetsecurity.com
A Major Ransomware Takedown Suffers a Strange Setback - Part of the reason for law enforcement's delay in attempting to take down Alphv's infrastructure may have been an ongoing investigation into the actors behind the group. The takedown effort involved collaboration and parallel investigations from ...
1 year ago Wired.com
More than $100 million in ransom paid to Black Basta gang over nearly 2 years - The Black Basta cybercrime gang has raked in at least $107 million in ransom payments since early 2022, according to research from blockchain security company Elliptic and Corvus Insurance. The group has infected more than 329 victim organizations ...
1 year ago Therecord.media
RagnarLocker ransoms its last victim as cybercops seize site The Register - Law enforcement agencies have taken over RagnarLocker ransomware group's leak site in an internationally coordinated takedown. Among the agencies involved are Europol's European Cybercrime Centre, the US's Federal Bureau of Investigation, and ...
1 year ago Theregister.com
Microsoft fixes Windows zero-day exploited in QakBot malware attacks - Microsoft has fixed a zero-day vulnerability exploited in attacks to deliver QakBot and other malware payloads on vulnerable Windows systems. Tracked as CVE-2024-30051, this privilege escalation bug is caused by a heap-based buffer overflow in the ...
7 months ago Bleepingcomputer.com
Feds Snarl ALPHV/BlackCat Ransomware Operation - After nearly two weeks of speculation, the US Department of Justice has claimed credit for the takedown of ALPHV/BlackCat leak sites and infiltrating the ransomware group's network. Experts speculate this could be a wrap for the ransomware group just ...
1 year ago Darkreading.com
Law Enforcement Confirms BlackCat Take Down, Decryption Key Offered to - The takedown of the ALPHV/BlackCat ransomware group's leak site has been confirmed as a result of global law enforcement action. The FBI is now urging over 500 of the group's victims to come forward to receive a decryption key that will enable them ...
1 year ago Infosecurity-magazine.com
Victory! Grand Jury Finds Sacramento Cops Illegally Shared Driver Data - For the past year, EFF has been sounding the alarm about police in California illegally sharing drivers' location data with anti-abortion states, putting abortion seekers and providers at risk of prosecution. We thus applaud the Sacramento County ...
5 months ago Eff.org
Understanding the Seizure of Dark Web Sites Linked to the Hive Ransomware - Recently, law enforcement seized several dark web sites linked to the Hive ransomware. The Hive ransomware is a potent form of malware that cybercriminals use to target organizations and individual computer users in order to demand a ransom for ...
1 year ago Bleepingcomputer.com
FBI disrupts Blackcat ransomware operation, creates decryption tool - The Department of Justice announced today that the FBI successfully breached the ALPHV ransomware operation's servers to monitor their activities and obtain decryption keys. On December 7th, BleepingComputer first reported that the ALPHV, aka ...
1 year ago Bleepingcomputer.com
Dozens of Rogue California Police Agencies Still Sharing Driver Locations with Anti-Abortion States - SAN FRANCISCO-California Attorney General Rob Bonta should crack down on police agencies that still violate Californians' privacy by sharing automated license plate reader information with out-of-state government agencies, putting abortion seekers ...
10 months ago Eff.org
Law Firms are Raising the Bar on Cybersecurity - Corresponding with recent increases in threat actor activity in the legal industry, law firms are investing more time and attention in modernizing security operations. Both midsize and large law firms are increasingly engaging with cybersecurity ...
1 year ago Bluevoyant.com
Telegram revealed it shared U.S. user data with law enforcement - Independent website 404 Media first revealed that in 2024 Telegram has fulfilled more than a dozen law enforcement data requests from the U.S. authorities. At the end of September, Telegram updated its privacy policy informing users that it will ...
2 months ago Securityaffairs.com
'Operation Endgame' Hits Malware Delivery Platforms - Law enforcement agencies in the United States and Europe today announced Operation Endgame, a coordinated action against some of the most popular cybercrime platforms for delivering ransomware and data-stealing malware. A frame from one of three ...
6 months ago Krebsonsecurity.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)