Qakbot Hackers Delivering Ransomware Despite FBI Takedown
The raid two months ago that shut down the infrastructure of the notorious Qakbot malware group doesn’t seem to have been the kill shot that the FBI and other law enforcement agencies had hoped.
The gang’s operators have been running a campaign since early August – before the August 29 crackdown by agencies from the United States and Europe – using phishing attacks to distribute the Ransom Knight ransomware and Remcos remote access trojan (RAT), according to researchers with Talos, Cisco’s threat intelligence unit.
“This activity appeared to begin before the FBI seized Qakbot infrastructure in late August and has been ongoing ever since, indicating the law enforcement operation may not have impacted Qakbot’s operators’ spam delivery infrastructure but rather only their command and control (C2) servers,” Talos threat researcher Guilherme Venere wrote in a report this morning.
Venere added that while Talos hasn’t seen the bad actors distributing the Qakbot malware itself since the FBI raid, “we assess the malware will continue to pose a significant threat moving forward. We see this as likely as the developers were not arrested and are still operational, open the possibility that they may choose to rebuild the Qakbot infrastructure.”
Law Enforcement Moves In
At the time of the law enforcement crackdown – dubbed Operation Duck Hunt – officials with the U.S. Justice Department (DOJ) noted that along with the seizure of the infrastructure, they deleted the Qakbot code from the computers of victims and seized more than $8.6 million in cryptocurrency collected through the group’s malicious activities.
The Qakbot malware infected more than 700,000 computers and caused hundreds of millions of dollars in damage, the DOJ said.
The team behind the operation was able to “cripple” Qakbot,” said Donald Always, assistant director in charge of the FBI’s Los Angeles office, adding that “these actions will prevent an untold number of cyberattacks at all levels.”
Qakbot – also known as “Qbot” and “Pinkslipbot” – started life as a banking trojan used to steal credential to compromise bank accounts. It evolved into a botnet used to gain initial access into targeted systems and the leveraged by other groups to run ransomware and other cyberattacks.
Venere wrote that Cisco is moderately confident that the threat actors running the campaign that is distributing the Ransom Knight ransomware – which had previously been known as the Cyclops ransomware-as-a-service (RaaS) operation– and Remcos backdoor.
Ransom Knight is a completely rewritten version of Cyclops that was announced in May, he wrote. The Qakbot cybercriminals are not behind the new Ransom Knight RaaS service, but more likely are simply customers.
“We tracked this new activity by connecting the metadata in the LNK files used in the new campaign to the machines used in the previous Qakbot campaigns,” he wrote.
Using LNK Files to ID Hackers
Earlier this year, Talos outlined how it used such metadata to identify and track bad actors, including establishing a link between Qakbot and the Bumblebee malware loader. One machine seen used in one campaign with a drive serial number of “0x2848e8a8” was used later for a new botnet. After Talos’ report, Qakbot operators responsible for three campaigns started to wipe out the metadata in their LNK files to hinder detection and tracking.
The new LNK files discovered in the new campaign in August were created on the same machine, though it was distributing a Ransom Knight variant. They come with what Verene described as “themes of urgent financial matters, [suggesting] they are being distributed in phishing emails, which is consistent with previous Qakbot campaigns.”
Some of the filenames are written in Italian, indicating that the threat actors could be targeting users in that region. The LNK files also are being distributed inside Zip archive that also contain an XLL file, he wrote, noting that “XLL is an extension used for Excel add-ins, and comes with an icon similar to other Excel file formats.”
The XLL files are the Remcos backdoor, which is executed with Ransom Knight to give the hackers access to the compromised machine after it’s infected. The LNK file downloads an executable from a remote system through the WebDAV protocol, with the executable being the Ransom Knight payload.