Evidence suggests the notorious Qakbot malware gang continued staging cyberattacks in August, even as authorities seized its infrastructure and dismantled the formidable botnet it had built up over several years.
Before the FBI-led operation that took down the botnet, QakBot (also known as “QBot,” “QuackBot” and “Pinkslipbot”) was the most common malware loader seen by ReliaQuest, accounting for 30% of all loaders its researchers observed in the first seven months of this year.
While authorities seized infrastructure and financial assets belonging to the gang in August, researchers warned at the time that because arrests were not made, key members of the gang were likely to regroup and continue committing cybercrimes.
In an Oct. 5 blog post Cisco Talos said it believed the gang had been distributing Ransom Knight ransomware and the Remcos backdoor via phishing emails in the weeks prior to the take-down. The post said while the multi-agency raid took down the group’s command-and-control servers, it had not impacted their spam delivery infrastructure.
Cisco Talos made the link between Qakbot and the Ransom Knight ransomware-as-a-service malware by connecting metadata found in a malicious LNK file attached to an email lure used in the latest campaign with a machine used in previous Qakbot campaigns.
The research team had previously used LNK file metadata to identify and track threat actors, including those behind Qakbot. In August, the month of the takedown, it discovered a LNK file used in a Ransom Knight campaign that had been created on a they machine previously identified as being used in Qakbot campaigns.
Cisco Talos said it found other similarities between the new campaign and some common traits used in the Qakbot group’s earlier campaigns. These included “themes of urgent financial matters” used in the filenames of the LNK files victims were duped into opening – for example: “NOT-paid-Invoice-26-August.pdf.lnk”.
“We do not believe the Qakbot threat actors are behind the [Ransom Knight] ransomware-as-a-service offer, but are simply customers of the service,” threat researcher Guilherme Venere wrote in the post.
“As this new operation has been ongoing since the beginning of August 2023 and has not stopped after the takedown, we believe the FBI operation didn’t affect Qakbot’s phishing email delivery infrastructure but only its command and control servers.”
Authorities have said the gang behind Qakbot caused hundreds of millions of dollars of losses since its creation in 2008. A major accomplishment of the August takedown was the FBI’s ability to uninstalled the malware from 700,000 computers – effectively dismantling the botnet.
However, Venere speculated that the gang may not remain simply an affiliate ransomware group for long, given the potentially lucrative opportunity they would have if they resurrected the Qakbot botnet.
“Though we have not seen the threat actors distributing Qakbot post-infrastructure takedown, we assess the malware will likely continue to pose a significant threat moving forward,” he said.
“Given the operators remain active, they may choose to rebuild Qakbot infrastructure to fully resume their pre-takedown activity.”