Months after an international law enforcement operation dismantled the notorious QakBot botnet, a new phishing campaign distributing the same malicious payload has been discovered.
QakBot (also known as “QBot,” “QuackBot” and “Pinkslipbot”) was one of the most deployed malware loaders in 2023 until an FBI-led takedown in August took the operation offline and untethered 700,000 compromised machines from the botnet.
In a Dec. 15 posted on X (previously Twitter), Microsoft’s Threat Intelligence team said they had identified a new QakBot phishing campaign.
“The campaign began on December 11, was low in volume, and targeted the hospitality industry,” the researchers said.
Targets of the new campaign received an email purporting to be from a U.S. Internal Revenue Service (IRS) employee. The email included a PDF attachment containing a URL that downloaded a digitally signed Windows Installer (.MSI) file.
If victims executed the MSI file, it launched QakBot malware. The payload was configured with a previously unseen version of the malware, 0x500, the Microsoft researchers said.
While the unique versioning suggested updates may have been introduced over the past few months, another researcher said on X: ““All in all, this new Qbot version feels basically the same as the old stuff just with some minor tweaks.”
The ‘duck hunt’ is set to resume
As well as dismantling the botnet in August – in what was dubbed “Operation Duck Hunt” – authorities also seized infrastructure and $8.6 million in cryptocurrency belonging to the gang responsible for QakBot.
While taking out such a major botnet that had taken years to build was considered a significant victory, researchers warned at the time that because arrests were not made, there was a possibility the threat actors responsible for QakBot could regroup.
In October, Cisco Talos said it believed the same gang had been distributing Ransom Knight ransomware and the Remcos backdoor via phishing emails in the weeks prior to the QakBot takedown. Talos researchers said while the August raid took down the group’s command-and-control servers, it had not impacted their spam delivery infrastructure.
QakBot was first observed in 2008 and has been regularly updated over the years. Once it has compromised a victim’s computer, the malware can deliver additional malicious payloads, including ransomware, to the infected system.
It has been used as an initial means of infection by several ransomware groups including Conti and Black Basta.
Qakbot was leveraged in the 2021 attack against meat processor JBS, which disrupted its production facilities and forced an $11 million ransom payment. To untether the 700,000 compromised computers from the botnet in August, the FBI redirected Qakbot traffic to and through servers controlled by the agency. The infected machines – located in the U.S. and around the world – were then instructed to download a file created by law enforcement that uninstalled the malware.
