In recent days, several security vendors have reported seeing the malware being distributed via phishing emails that target organizations in the hospitality sector.
For the moment, the email volumes appear to be relatively low.
Given the tenacity that Qakbot operators have shown in the past, it likely won't be long before the volume picks up again.
Low Volumes - So Far Microsoft's threat intelligence group has estimated the new campaign began Dec. 11, based on a timestamp in the payload used in the recent attacks.
Targets have received emails with a PDF attachment from a user purporting to be an employee at the IRS, the company said in multiple posts on X, the platform formerly known as Twitter.
In a post on X, the company identified the new version as 64-bit, using AES for network encryption and sending POST requests to a specific path on compromised systems.
Proofpoint confirmed similar sightings a day later while also noting that the PDFs in the current campaign have been distributed since at least Nov. 28.
Long-Prevalent Threat Qakbot is particularly noxious malware that has been around since at least 2007.
Its authors originally used the malware as a banking Trojan but in recent years pivoted to a malware-as-a-service model.
Threat actors typically have distributed the malware via phishing emails, and infected systems usually become part of a bigger botnet.
At the time of the takedown in August, law enforcement identified as many as 700,000 Qakbot-infected systems worldwide, some 200,000 of which were located in the US. Qakbot-affiliated actors have increasingly used it as a vehicle to drop other malware, most notably Cobalt Strike, Brute Ratel, and a slew of ransomware.
In many instances, initial access brokers have used Qakbot to gain access to a target network and later sold that access to other threat actors.
Takedown Only Slowed Qakbot The recent sightings of Qakbot malware appear to confirm what some vendors have reported in recent months: Law enforcement's takedown had less of an impact on Quakbot actors than generally perceived.
In October threat hunters at Cisco Talos reported that Qakbot-affiliated actors were continuing to distribute the Remcos backdoor and Ransom Knight ransomware in the weeks and months following the FBI's seizure of Qakbot infrastructure.
Talos security researcher Guilherme Venere saw that as a sign that August's law enforcement operation may have taken out only Qakbot's command-and-control servers and not its spam-delivery mechanisms.
Security firm Lumu said it counted a total of 1,581 attempted attacks on its customers in September that were attributable to Qakbot.
In subsequent months, the activity has remained at more or less the same level, according to the company.
Most attacks have targeted organizations in finance, manufacturing, education, and government sectors.
The threat group's continued distribution of the malware indicates that it managed to evade significant consequences, Lumu CEO Ricardo Villadiego says.
The group's ability to continue operating primarily hinges on the economic feasibility, technical capabilities, and ease of establishing new infrastructure, he notes.
This Cyber News was published on www.darkreading.com. Publication date: Tue, 19 Dec 2023 23:15:19 +0000