Security researchers have spotted a new phishing campaign distributing the QakBot malware, more than three months after an international law enforcement operation dismantled the notorious QakBot botnet that infected more than 700,000 computers globally and was linked to multiple attacks involving ransomware, financial fraud and other cybercriminal activity.
The Qakbot (aka QBot, QuackBot, and Pinkslipbot) malware infected victim machines primarily via spam emails with malicious attachments or links. Initially designed as a banking trojan, QakBot has received new capabilities over time. Other than permitting initial access to targeted networks, QakBot delivers other remote-access payloads, steals sensitive data, and helps lateral movement and remote code execution.
Qakbot has been used by many prolific ransomware groups in recent years, including Conti, ProLock, Egregor, REvil, MegaCortex, and Black Basta. According to recent research, Qakbot was the most popular malware loader during the first seven months of 2023.
The new Qakbot campaign observed by Microsoft’s threat intelligence team in December, was low-volume and targeted the hospitality industry with phishing emails containing a malicious PDF document masquerading as a message from an IRS employee.
“The PDF contained a URL that downloads a digitally signed Windows Installer (.msi). Executing the MSI led to Qakbot being invoked using export “hvsi” execution of an embedded DLL,” Microsoft said in a series of posts on X (formerly Twitter).
“Most notably, the delivered Qakbot payload was configured with the previously unseen version 0x500,” the company added.
While the seizure of infrastructure and cryptocurrency assets used by the Qakbot malware dealt a blow to the group’s operations, the Qakbot affiliates have not ceased their activities continuing to distribute malware such as the Ransom Knight ransomware and the Remcos backdoor through phishing emails.
