Facebook Twitter Instagram
    • Privacy Policy
    • Contact Us
    Facebook Twitter Instagram Pinterest Vimeo
    AI Home SecurityAI Home Security
    • Home
    • Home Security
    • Cyber Security
    • Biometric Technology
    Contact
    AI Home SecurityAI Home Security
    Cyber Security

    Unkillable? Qakbot Infections Fly On Even After Its High-Profile Raid

    justmattgBy justmattgOctober 5, 2023No Comments4 Mins Read

    [ad_1]

    The Qakbot (aka Qbot) first-stage malware operation is still kicking, even after the “Operation Duck Hunt” raid by law enforcement eviscerated its infrastructure a few weeks ago. It was recently seen distributing the Ransom Knight ransomware and the Remcos backdoor remote access Trojan (RAT) via phishing emails.

    Evidently, a massive takedown of Qakbot’s botnet infrastructure in August, involving law enforcement from seven different countries, wasn’t enough to even temporarily kill the notorious initial access broker (IAB). According to a new report from Cisco Talos, a ransomware campaign that began before the raid is still ongoing, yet again proving how difficult it is to take out a major threat actor.

    “A lot of people thought that it would not take a lot of time before Qakbot was back, and we’ve shown that,” says Guilherme Venere, threat researcher for Cisco Talos. “They were never really inactive. They were still running campaigns at the same time that the requisite infrastructure was taken down.”

    Qakbot Still at It Post-Takedown

    On Aug. 29, law enforcement authorities from the US (the FBI), UK, France, Germany, Romania, Latvia, and the Netherlands teamed up against the operators behind Qakbot, “cutting it off at the knees.” Specifically, authorities identified and accessed 700,000 infected computers, redirecting them to FBI-controlled servers, where they automatically downloaded Qakbot uninstallers. Additionally, authorities seized $8.6 million of Qakbot’s illicitly obtained funds.

    But in the face of all that, a Qakbot campaign that began earlier in August kept chugging along.

    In fact, the group has been distributing phishing emails in English, Italian, and German, containing .ZIP archives with two primary components.

    First, there are shell link (.LNK) files masquerading as financial documents. For example, “Pay-Invoices-29-August.pdf.lnk” and “bank transfer request.lnk.” These files download an executable from a remote IP address, containing the Ransom Knight ransomware. Ransom Knight is a newer version of the ransomware-as-a-service malware “Cyclops,” updated back in May.

    Besides the ransomware, the .ZIPs also contain Excel Add-In (XLL) files hiding the Remcos backdoor, enabling persistent access to targeted machines even after the deployment of ransomware.

    It’s unclear yet how many organizations have been targeted in this campaign, and whether any have suffered damages as a result.

    Can Law Enforcement Ever Eliminate Threat Actors?

    In recent years, US and international law enforcement has stepped up efforts to curb major cybercrime outfits, whether by taking down infrastructure, seizing crypto, fully arresting group members IRL, or any combination therein. The long-term results are mixed.

    In certain cases, police have done serious, irreversible harm to these groups. For instance, where once it sat atop the world of ransomware, Hive is now a memory of the past, thanks to the FBI and Department of Justice.

    But seemingly in more cases, authorities have had limited success. The Emotet botnet survived a coordinated takedown effort, as did the Trickbot botnet. Even the Conti group recouped after being shut down by authorities, at least to some degree.

    “It’s difficult to take them down unless you arrest the original actors behind the group,” Venere says. “In this case, there was no arrest made of anyone behind the Qakbot infrastructure. So they are still there. They still have access to the source code for the malware. They can still develop new variants, and they have the infrastructure to distribute it.”

    All of the law enforcement effort isn’t necessarily a waste, though. “The FBI had a huge impact on the group’s infrastructure, and their financial structure, and now they have to rebuild it. Sometimes, this kind of thing makes it not worth the time to rebuild infrastructure,” he says.

    “So it might have an impact in the end,” he concludes, “because it will make it so expensive for them to rebuild this stuff.”

    [ad_2]

    Source link

    Previous ArticleCisco Releases Urgent Patch to Fix Critical Flaw in Emergency Responder Systems
    Next Article QakBot Threat Actors Still in Action, Using Ransom Knight and Remcos RAT in Latest Attacks
    justmattg
    • Website

    Related Posts

    Cyber Security

    Name That Toon: Last Line of Defense

    April 16, 2024
    Cyber Security

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    April 16, 2024
    Cyber Security

    Middle East Cyber Ops Intensify, With Israel the Main Target

    April 16, 2024
    Add A Comment

    Leave A Reply Cancel Reply

    Facebook Twitter Instagram Pinterest
    • Privacy Policy
    • Contact Us
    AI Home Security © 2025 All rights reserved | Designed By ESmartsSolution

    Type above and press Enter to search. Press Esc to cancel.

    ↑