As new threat intelligence findings from Cisco Talos show, the threat actor (affiliates) behind the Qakbot malware remains active and has been running a campaign again since the beginning of August 2023.
In the campaign, they spread the ransomware “Ransom Knight” and the backdoor “Remcos” via phishing emails. What's special: At the end of August, the Qakbot infrastructure was confiscated by the FBI. Nevertheless, the campaign, which was launched at the beginning of August, continues. This suggests that the law enforcement action may not have impacted the Qakbot operators' spam sending infrastructure, but only their command and control (C2) servers.
Qakbot uses other distribution channels
Cisco Talos associates the new campaign with Qakbot partners because the metadata in the LNK files used in this campaign matches the metadata of machines used in previous Qakbot “AA” and “BB” campaigns. Although researchers have not yet observed threat actors spreading Qakbot themselves after the infrastructure is shut down, Cisco Talos believes that the malware will continue to pose a significant threat in the future. The reason: The developers were not arrested and could therefore decide to rebuild the Qakbot infrastructure.
“The current threat level remains high even after the FBI shut down the Qakbot infrastructure. Or to put it with an old football saying: 'After the game is before the game,'” says Thorsten Rosendahl from Cisco Talos. “The analysis shows that even a successful strike against cybercriminals does not create sustainable security. The threat situation remains high, including in Germany.”
More at Cisco.com
About Cisco Cisco is the world's leading technology company that makes the Internet possible. Cisco is opening new possibilities for applications, data security, infrastructure transformation and the empowerment of teams for a global and inclusive future.