Earlier this year, a task force was headed by the U.S. FBI and Dutch police claimed to have taken down prolific malware and botnet operator Qakbot. The threat actors behind Qakbot are back, but in a surprising twist, it appears they never went away to begin with.
Qakbot, also known as QBot and Pinkslipbot, first emerged in 2008 and was historically known as a banking Trojan virus that steals financial data from infected systems. In more recent times, Qakbot has used a variety of infection vectors, including switching file names and formats and deploying several techniques to hide its operation.
The return of Qakbot was discovered by researchers, and the threat actors behind Qakbot have been conducting a campaign since early August in which they have been distributing Ransom Knight ransomware and the Remcos backdoor via emails.
The campaign started in early August, and yet the FBI-led takedown was Aug. 29. As the researchers note, this activity appears before the “takedown” and, more importantly, has been ongoing since.
Although there’s merit in targeting and attempting to take down hacking groups, the process is often said to be like playing a game of Whac-A-Mole: Every time a group is supposedly taken down, others replace them, but in this case, it would appear it was never taken down properly.
The latest activity of Qakbot threat actor may indicate the recent law enforcement operation only impacted the malware’s command-and-control infrastructure and did not affect the infrastructure associated with Qakbot’s spam delivery. It is realistically possible that this indicates the malware’s developers have not been arrested and could have facilitated new C2 infrastructure to restart their operations.
Indicators of Compromise