Organizations in the hospitality industry have been targeted by a new phishing campaign distributing the QakBot, or QBot, malware months after the botnet was taken down in a law enforcement operation, according to BleepingComputer.
Attackers behind the campaign delivered emails spoofing an IRS employee that included a PDF attachment purporting to be a guest list, which when downloaded would prompt an MSI and later deploy the QakBot malware DLL, said the Microsoft Threat Intelligence team on X, formerly Twitter. Such DLL was also created on the day the campaign commenced, noted researchers, who added that the payload's configuration with a novel version indicated persistent malware development. QakBot's reemergence has also been confirmed by Proofpoint security researchers Tommy Madjar and Pim Trouerbach, with Trouerbach noting that the QakBot DLL has been updated to enable string decryption via AES instead of XOR and is likely to be continuously improved to address bugs.
