Qakbot Persists, Deploys Ransom Knight | Cyware Hacker News

Despite concerted efforts by the FBI in August to dismantle the infrastructure supporting the Qakbot malware, the threat actors behind it appear undeterred. Recent evidence indicates an active distribution of Ransom Knight ransomware and the Remcos backdoor via phishing emails, starting from early August.

Diving into details

Cisco Talos has tracked and shared details about the ongoing activities of the Qakbot operators.
  • Metadata from LNK files used in previous Qakbot campaigns, such as “AA” and “BB”, have been identified by security experts in the new campaigns.
  • Some filenames were in Italian, suggesting a potential focus on Italian users.
  • LNK files, designed to resemble urgent financial documents, were being sent out.
  • These files, when opened, would try to connect to a remote network and download the Ransom Knight ransomware payload.

Interestingly, the Qakbot operators appear to be customers, rather than creators, of the Ransom Knight ransomware, as indicated by a dark web forum post.

Technical insights

The technical specifics of the new campaign revealed a multi-layered attack strategy. The LNK files connect to a remote network share that helps it bypass traditional command line detection.

In addition to the ransomware, the attachments contained XLL files, typically used for Excel add-ins. Analysis showed these to be the Remcos backdoor, granting threat actors access to the compromised machine.

Besides, the study asserts that the Ransom Knight payload is an updated variant of the Cyclops ransomware, rewritten from scratch.

The bottom line

The continued activities of Qakbot affiliates post-FBI operation underscore the adaptability and resilience of such threat actors. While the FBI’s intervention impacted Qakbot’s C2 servers, the group’s phishing email delivery mechanism remained functional. As a preventive measure, individuals and organizations should exercise caution with unfamiliar emails and regularly back up data.