The QakBot malware is once again being distributed in phishing campaigns after the botnet was disrupted by law enforcement over the summer.
In August, a multinational law enforcement operation called Operation Duck Hunt accessed the QakBot admin's servers and mapped out the botnet's infrastructure.
After gaining access to the botnet's encryption keys used for malware communication, the FBI was able to hijack the botnet to push a custom Windows DLL module to infected devices.
This DLL executed a command that terminated the QakBot malware, effectively disrupting the botnet.
While a phishing service that was used to distribute the Qbot malware has seen activity since the disruption, there was no distribution of the QakBot malware until this past Monday, when the new phishing campaign started.
Microsoft is now warning that QakBot is being distributed again in a phishing campaign pretending to be an email from an IRS employee.
Microsoft says it first observed the phishing attack on December 11th in a small campaign targeting the hospitality industry.
When clicking on the download button, recipients will download an MSI that, when installed, launches the Qakbot malware DLL into memory.
Microsoft says the DLL was generated on December 11th, the same day the phishing campaign started, and uses a campaign code of 'tchk06' and command and control servers at 45.138.74.191:443 and 65.108.218.24:443.
Security researchers Pim Trouerbach and Tommy Madjar have also confirmed that the Qakbot payload being distributed is new, with some minor changes.
Trouerbach told BleepingComputer that there are minor changes to the new QakBot DLL, including using AES to decrypt strings rather than XOR in the previous version.
While it is too soon to tell if Qbot will have trouble regaining its former size, admins and users need to be on the lookout for reply-chain phishing emails that are commonly used to distribute the malware.
QakBot, aka Qbot, started out as a banking trojan in 2008, with malware developers using it to steal banking credentials, website cookies, and credit cards to commit financial fraud.
Over time, the malware evolved into a malware delivery service, partnering with other threat actors to provide initial access to networks for conducting ransomware attacks, espionage, or data theft.
Qakbot is distributed through phishing campaigns that utilize a variety of lures, including reply-chain email attacks, which is when threat actors use a stolen email thread and then reply to it with their own message and an attached malicious document.
These emails typically include malicious documents as attachments or links to download malicious files that install the Qakbot malware on a user's device.
Once installed, the malware will inject a DLL into a legitimate Windows process, such as wermgr.
DarkGate and Pikabot malware emerge as Qakbot's successors.
QNAP VioStor NVR vulnerability actively exploited by malware botnet.
New NKAbuse malware abuses NKN blockchain for stealthy comms.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Sun, 17 Dec 2023 21:45:14 +0000