Qakbot Malware Gang's Persistent Threat Despite Infrastructure Seizure
No attachments for this post
Despite authorities dismantling the Qakbot malware gang's infrastructure in August, evidence indicates the group resumed cyberattacks soon after. Before the crackdown led by the FBI, the malware loader Qakbot, recognized by various names like "QBot" and "QuackBot", was the most frequent malware loader detected by ReliaQuest, making up 30% of all observed loaders in the first seven months of the year.
While the gang's infrastructure and financial resources were seized, researchers cautioned that the lack of arrests could allow the gang's key players to regroup and persist in their cybercriminal activities. A recent blog post by Cisco Talos reveals that they suspect the gang distributed Ransom Knight ransomware and Remcos backdoor through phishing emails in the weeks leading up to the crackdown. Though the gang’s command-and-control servers were affected, their spam delivery systems remained unaffected.
Links between Qakbot and the Ransom Knight ransomware were drawn by Cisco Talos through metadata present in a malicious LNK file associated with a phishing campaign. Similarities in tactics were observed, such as urgent financial themes in the filenames intended to deceive victims.
Despite the extensive takedown in August, which enabled the FBI to uninstall malware from 700,000 computers, thereby breaking up the botnet, the Qakbot malware gang might consider resurrecting the Qakbot botnet, given its lucrative potential. Threat researcher, Guilherme Venere, stressed the possibility of the malware posing an ongoing significant risk and the likelihood of the group reviving the Qakbot infrastructure.
Comments on this post
No comments have been added for this post.
You must be logged in to make a comment.