Fresh Qakbot Sightings Confirm Recent Takedown Was a Temporary Setback

Qakbot malware is back less than four months after US and international law enforcement authorities dismantled its distribution infrastructure in a widely hailed operation dubbed "Duck Hunt."

In recent days, several security vendors have reported seeing the malware being distributed via phishing emails that target organizations in the hospitality sector. For the moment, the email volumes appear to be relatively low. But given the tenacity that Qakbot operators have shown in the past, it likely won't be long before the volume picks up again.

Low Volumes — So Far

Microsoft's threat intelligence group has estimated the new campaign began Dec. 11, based on a timestamp in the payload used in the recent attacks. Targets have received emails with a PDF attachment from a user purporting to be an employee at the IRS, the company said in multiple posts on X, the platform formerly known as Twitter. "The PDF contained a URL that downloads a digitally signed Windows Installer (.msi)," Microsoft posted. "Executing the MSI led to Qakbot being invoked using export 'hvsi' execution of an embedded DLL." The researchers described the Qakbot version that the threat actor is distributing in the new campaign as a previously unseen version.

Zscaler observed the malware surfacing as well. In a post on X, the company identified the new version as 64-bit, using AES for network encryption and sending POST requests to a specific path on compromised systems. Proofpoint confirmed similar sightings a day later while also noting that the PDFs in the current campaign have been distributed since at least Nov. 28.

Long-Prevalent Threat

Qakbot is particularly noxious malware that has been around since at least 2007. Its authors originally used the malware as a banking Trojan but in recent years pivoted to a malware-as-a-service model. Threat actors typically have distributed the malware via phishing emails, and infected systems usually become part of a bigger botnet. At the time of the takedown in August, law enforcement identified as many as 700,000 Qakbot-infected systems worldwide, some 200,000 of which were located in the US.

Qakbot-affiliated actors have increasingly used it as a vehicle to drop other malware, most notably Cobalt Strike, Brute Ratel, and a slew of ransomware. In many instances, initial access brokers have used Qakbot to gain access to a target network and later sold that access to other threat actors. "QakBot infections are particularly known to precede the deployment of human-operated ransomware, including Conti, ProLock, Egregor, REvil, MegaCortex, Black Basta, Royal, and PwndLocker," the US Cybersecurity and Infrastructure Security Agency noted in a statement announcing the law enforcement takedown earlier this year.

Takedown Only Slowed Qakbot

The recent sightings of Qakbot malware appear to confirm what some vendors have reported in recent months: Law enforcement's takedown had less of an impact on Quakbot actors than generally perceived.

In October, for instance, threat hunters at Cisco Talos reported that Qakbot-affiliated actors were continuing to distribute the Remcos backdoor and Ransom Knight ransomware in the weeks and months following the FBI's seizure of Qakbot infrastructure. Talos security researcher Guilherme Venere saw that as a sign that August's law enforcement operation may have taken out only Qakbot's command-and-control servers and not its spam-delivery mechanisms.

"Though we have not seen the threat actors distributing Qakbot itself post-infrastructure takedown, we assess the malware will continue to pose a significant threat moving forward," Venere said at the time. "We see this as likely as the developers were not arrested and are still operational, opening the possibility that they may choose to rebuild the Qakbot infrastructure."

Security firm Lumu said it counted a total of 1,581 attempted attacks on its customers in September that were attributable to Qakbot. In subsequent months, the activity has remained at more or less the same level, according to the company. Most attacks have targeted organizations in finance, manufacturing, education, and government sectors.

The threat group's continued distribution of the malware indicates that it managed to evade significant consequences, Lumu CEO Ricardo Villadiego says. The group's ability to continue operating primarily hinges on the economic feasibility, technical capabilities, and ease of establishing new infrastructure, he notes. "Since the ransomware model remains profitable and legal efforts haven't specifically targeted the individuals and the underlying structure of these criminal operations, it becomes challenging to completely neutralize any malware network like this."