Threat Awareness – Qakbot: Down, but not Out

On August 31, 2023, WaterISAC shared the JCSA about the coordinated law enforcement disruption of the Qakbot botnet infrastructure and how organizations could utilize known behaviors to detect and protect against Qakbot activity.

Cisco researchers have been closely monitoring for Qakbot activity since its takedown and have observed actors continuing to employ the malware. Recently Qakbot has been used to distribute Ransom Knight malware and Remcos backdoor since around early August 2023. Cisco Talos researchers hold a moderate level of confidence in their assessments, indicating that the threat actors linked to Qakbot are still active and believe the group launched a new campaign shortly before the infrastructure takedown on August 29, 2023.

Researchers successfully attributed recent attacks to the Ransom Knight ransomware by cross-referencing .LNK files (commonly known as desktop shortcut icons) from previous campaigns with those in new attacks. The filenames of these LNK files, which focus on urgent financial topics, indicate distribution through phishing emails, aligning with patterns seen in previous Qakbot campaigns.

Despite the infrastructure disruption, it does not appear the proliferation of Qakbot is going away anytime soon. Due to its versatility and potential use post-compromise, members are encouraged to remain vigilant and closely monitor how highly effective malware samples like these are initially deployed. Read more at Talos Intelligence.