Despite concerted efforts by the FBI in August to dismantle the infrastructure supporting the Qakbot malware, the threat actors behind it appear undeterred. Recent evidence indicates an active distribution of Ransom Knight ransomware and the Remcos backdoor via phishing emails, starting from early August.

Diving into details

• Metadata from LNK files used in previous Qakbot campaigns, such as “AA” and “BB”, have been identified by security experts in the new campaigns.
• Some filenames were in Italian, suggesting a potential focus on Italian users.
• LNK files, designed to resemble urgent financial documents, were being sent out.
• These files, when opened, would try to connect to a remote network and download the Ransom Knight ransomware payload.

Interestingly, the Qakbot operators appear to be customers, rather than creators, of the Ransom Knight ransomware, as indicated by a dark web forum post.

Technical insights

The technical specifics of the new campaign revealed a multi-layered attack strategy. The LNK files connect to a remote network share that helps it bypass traditional command line detection.

In addition to the ransomware, the attachments contained XLL files, typically used for Excel add-ins. Analysis showed these to be the Remcos backdoor, granting threat actors access to the compromised machine.

The bottom line

The continued activities of Qakbot affiliates post-FBI operation underscore the adaptability and resilience of such threat actors. While the FBI’s intervention impacted Qakbot’s C2 servers, the group’s phishing email delivery mechanism remained functional. As a preventive measure, individuals and organizations should exercise caution with unfamiliar emails and regularly back up data.