QakBot Threat Actors Persist with Ransom Knight and Remcos RAT in Ongoing Attacks: Despite recent infrastructure disruptions, the actors responsible for the QakBot malware are still active.
They are linked to a phishing campaign that began in early August 2023, leading to the deployment of Ransom Knight ransomware and Remcos RAT (Remote Access Trojan).
Key Takeaways to QakBot Threat Actors Persist with Ransom Knight and Remcos RAT in Ongoing Attacks:
Table of Contents
- Continued Threat: Threat actors associated with the QakBot malware remain active, deploying ransomware and RAT in a recent phishing campaign.
- Impact of Law Enforcement Operation: While law enforcement operations disrupted QakBot’s infrastructure, the spam delivery system appears unaffected.
- Evolution of QakBot: QakBot, originally a Windows-based banking trojan in 2007, has evolved to deliver various payloads, including ransomware.
QakBot Actors Remain Active
In a surprising turn of events, the threat actors behind the notorious QakBot malware have resurfaced. Despite recent disruptions to their infrastructure, they are linked to an ongoing phishing campaign that began in August 2023.
This campaign has resulted in the deployment of Ransom Knight ransomware and Remcos RAT.
Law Enforcement Impact
The disruption of QakBot’s infrastructure was a notable event in late August 2023, termed “Duck Hunt.” However, it seems that the impact of this law enforcement operation was limited.
According to Cisco Talos researcher Guilherme Venere, it’s likely that the operation only affected QakBot’s command-and-control (C2) servers, leaving the spam delivery infrastructure intact.
Moderate Confidence Attribution
Cybersecurity experts have attributed this recent activity with moderate confidence to QakBot affiliates.
Notably, there is no evidence to suggest that the threat actors have resumed distributing the malware loader itself following the infrastructure takedown.
QakBot’s Evolution
QakBot, also known as QBot and Pinkslipbot, has a long history. Originating as a Windows-based banking trojan in 2007, it has continually evolved.
Over time, it has gained the ability to deliver various payloads, including ransomware. This adaptability has made it a persistent threat in the cybersecurity landscape.
The Latest Activity
The ongoing campaign that started just before the takedown of QakBot’s infrastructure involves a malicious LNK file. This file is likely distributed via phishing emails.
When executed, it triggers the infection process, ultimately leading to the deployment of Ransom Knight ransomware. Notably, Ransom Knight is a recent rebrand of the Cyclops ransomware-as-a-service (RaaS) scheme.
Incorporating Remcos RAT
ZIP archives containing the LNK files have been observed incorporating Excel add-in (.XLL) files. These files are used to propagate the Remcos RAT, which provides persistent backdoor access to compromised endpoints.
Some of the filenames used in this campaign are written in Italian, indicating a potential focus on users in that region.
The Ongoing Threat
While the distribution of the QakBot malware itself has not been observed post-infrastructure takedown, experts believe that it will remain a significant threat.
The operators behind it are active, and there is a possibility that they may rebuild QakBot’s infrastructure to resume their previous activities.
Conclusion
The persistence of threat actors associated with QakBot serves as a reminder of the ever-evolving nature of cyber threats.
While law enforcement operations can disrupt malicious activities, they may not always fully dismantle them. Organizations and individuals must maintain robust cybersecurity measures to defend against such threats.
About Cisco Talos: Cisco Talos is a prominent cybersecurity research and threat intelligence group known for its expertise in uncovering and analyzing cyber threats. Their insights help organizations stay informed and protected in the digital landscape.
