Multiple sources are confirming the resurgence of Qakbot malware mere months after the FBI and other law enforcement agencies shuttered the Windows botnet.

Microsoft Threat Intelligence reckons a new Qakbot phishing campaign is active as of December 11 but attack attempts are currently low in volume.

The gang targets the hospitality sector, initially using phishing emails containing malicious PDF attachments that they’ve doctored to look like they come from the US Internal Revenue Service (IRS).

When opened, the PDF presents the target with an error screen indicating a preview of the document isn’t available, alongside a button to download the document from “AdobeCloud.”

Multiple sources are confirming the resurgence of Qakbot malware mere months after the FBI and other law enforcement agencies shuttered the Windows botnet.

Microsoft Threat Intelligence reckons a new Qakbot phishing campaign is active as of December 11 but attack attempts are currently low in volume.

The gang targets the hospitality sector, initially using phishing emails containing malicious PDF attachments that they’ve doctored to look like they come from the US Internal Revenue Service (IRS).

When opened, the PDF presents the target with an error screen indicating a preview of the document isn’t available, alongside a button to download the document from “AdobeCloud.”

Germán Fernández, security researcher at CronUp, said the same PDF template was used by Pikabot operators just days earlier – Windows malware that shares many similarities with Qakbot. Both are being associated with attacks from the group Proofpoint tracks as TA577.

Clicking the button in the PDF led to the download and installation of Qakbot, which Microsoft said may have been an updated payload. The previously unseen version, 0x500, was generated on December 11, according to its analysis.

The team at Zscaler ThreatLabz confirmed that the payload was updated, and the new version has a 64-bit architecture, uses AES for network encryption, and sends POST requests to path /teorema505.

Two researchers at Proofpoint, Tommy Madjar and Pim Trouerbach, also confirmed they had spotted updated Qakbot activity, but the new features only amount to “minor tweaks.”

They added that the new Qakbot activity goes back to November 28, roughly two weeks further than December 11 – the date Microsoft first spotted it.

  • AutoTL;DRB
    link
    English
    111 months ago

    This is the best summary I could come up with:


    Multiple sources are confirming the resurgence of Qakbot malware mere months after the FBI and other law enforcement agencies shuttered the Windows botnet.

    Germán Fernández, security researcher at CronUp, said the same PDF template was used by Pikabot operators just days earlier – Windows malware that shares many similarities with Qakbot.

    Two researchers at Proofpoint, Tommy Madjar and Pim Trouerbach, also confirmed they had spotted updated Qakbot activity, but the new features only amount to “minor tweaks.”

    Dan Schiappa, chief product officer at security shop Arctic Wolf, said while praise should certainly go to the authorities that worked to bring down the original botnet, Qakbot’s resurgence illustrates the difficulty in tackling cybercrime, especially without making arrests.

    Jakub Kaloč, malware researcher at ESET, said in a July blog that Emotet’s extended period of downtime is likely due to it “failing to find an effective, new attack vector.”

    Larson added: “It’s also worth noting the Qbot law enforcement disruption removed hundreds of thousands of infections, which would significantly hamstring any recurring operations and require some rebuilding on the effort of the threat actors.”


    The original article contains 866 words, the summary contains 181 words. Saved 79%. I’m a bot and I’m open source!