May 19, 2024

Earlier this year, a task force was headed by the U.S. FBI and Dutch police claimed to have taken down prolific malware and botnet operator Qakbot. The threat actors behind Qakbot are back, but in a surprising twist, it appears they never went away to begin with.

Qakbot, also known as QBot and Pinkslipbot, first emerged in 2008 and was historically known as a banking Trojan virus that steals financial data from infected systems. In more recent times, Qakbot has used a variety of infection vectors, including switching file names and formats and deploying several techniques to hide its operation.

The return of Qakbot was discovered by researchers, and the threat actors behind Qakbot have been conducting a campaign since early August in which they have been distributing Ransom Knight ransomware and the Remcos backdoor via emails.

Advertisements

The campaign started in early August, and yet the FBI-led takedown was Aug. 29. As the researchers note, this activity appears before the “takedown” and, more importantly, has been ongoing since.

Although there’s merit in targeting and attempting to take down hacking groups, the process is often said to be like playing a game of Whac-A-Mole: Every time a group is supposedly taken down, others replace them, but in this case, it would appear it was never taken down properly.

The latest activity of Qakbot threat actor may indicate the recent law enforcement operation only impacted the malware’s command-and-control infrastructure and did not affect the infrastructure associated with Qakbot’s spam delivery. It is realistically possible that this indicates the malware’s developers have not been arrested and could have facilitated new C2 infrastructure to restart their operations.

Indicators of Compromise

  • 006e0b5f47462c4d755b3f84e22b90f09fb6b369032a3ca72f39180e5395ed17
  • 19bae62fc0a3a64c80b666237c2f04706e3b89c5a6ea6be055df22122e5f8a63
  • 25cc64a072861840df9dfa7b2449165e4c37d57c542da8ec4ea4fffa10f1be39
  • 44065decc86f79ebbd56b27f1db8c7bd5843147f3fa8e577604c0ed45317b016
  • 6e0062ccdfa7a117a8b76d4056ac144fdf91f3a2811b32d5a3b7f31ac326181b
  • 75c562f9101eab86d03386fcf0ddfe3cdebec0008c2c5b5a94047c06ddeb2566
  • 78784c02843a518bdc546534759dcdb3ea523c54751858a51f39e0f9d1492868
  • 7ab8bcf9b4dc63ad3d9e1fe8eb2e8292a1545871fb2e3b5dd83c96a2b7e33b41
  • 877f8a66be5c99d5a4636d74c566d61ebc1951049be5fa8968c132922ca4ba18
  • af5f5aa32a3e2bc802b9863c20de2eac0ca14e1002c02396e63e2aa38eb351c6
  • bfd2c062c12a261c4460cdc59cc9f7e80b72b455e852d08c106f12a3d657a575
  • d0013d23218a1aafdea792a0599b746af6966f765181c8c1dbfe7257be0cb022
  • d522a32eebc7f0108dbff116b7fa9dd457bf9f062465060115ec423c567c5115
  • e38a1648fc6494f881e3b793688ef4d69e925137c4c7494f4dd6c6604142a2bc
  • ec4ac7ade34402ad3757e97d03de7aa3dfee0ed53f28f32c99d8dbbb96958dcb
  • f2e2427107648e8d7be5f4e42341c702ceddb442191434128cbbf15c0325d8e9
  • 7b4d227fddcc4e93ea0cdf017026ff2dad6efd6bc7de71b689dc0595a2a4fb4d
  • a2c654357d790d7c4cec619de951649db31ecdb63935f38b11bb37f983ff58de
  • c42ad519510936f14ab46fbad53606db8132ea52a11e3fc8d111fbccc7d9ab5a
  • 34ea4cad8558fcab75631a44eae492a54e1cf9ae2f52e7d5fa712686acd06437
  • 597541041b49043bd2abd482b3bf4dd233a0dbb47d5ef704ea9ee28705d2764b
  • 86e96d3d22ead8f41f6a29f7bfe4b35c0d4ae5bd8da046ff0d01d9c6ea678dc2
  • ef74d2b8d1767667fb6817916f7d2d2c998358e07422a6af246151e0299f26aa
  • 89.23.96.203
  • 188.34.188.7
Tags:

2 thoughts on “Qakbot is alive despite being taken down

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

You may have missed

Git fixes critical RCE Vulnerability -CVE-2024-32002

May 18, 2024

LockBit Breaches City of Wichita

May 18, 2024

CISA KEV Update – May 2024

May 17, 2024

Google fixes 2nd Zeroday in a Week – CVE-2024-4947

May 16, 2024

US Authorities took control of BreachForums

May 16, 2024

Microsoft Zeroday Bug CVE-2024-30051 exploited to install QakBot

May 15, 2024

Discover more from TheCyberThrone

Subscribe now to keep reading and get access to the full archive.

Continue reading