Cybercrime , Cybercrime as-a-service , Endpoint Detection & Response (EDR)

Qakbot Attackers Remain Alive and Quacking, Researchers Find

Phishing Campaign Pushing Knight Ransomware Continues Despite FBI Disruption
Qakbot Attackers Remain Alive and Quacking, Researchers Find
Image: Bert de Tilly/CC BY-SA 4.0 Deed

What do bank transfer request.lnk, invoice OTP bank.pdf.lnk and URGENT-Invoice-27-August.docx.lnk have in common?

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

All are names of Windows shortcut files being distributed in Zip archives attached to phishing email messages recently sent by attackers tied to the Qakbot operation, reported threat intelligence researchers at Cisco Talos.

The Qakbot activity comes despite a massive international law enforcement operation, spearheaded by the FBI, that disrupted a substantial part of the botnet infrastructure in late August. Operation Duck Hunt - a play on the name of the botnet operation and its malware - resulted in the seizure of 52 servers and nearly $9 million worth of cryptocurrency, as well as the forced removal of Qakbot malware from 700,000 endpoints (see: Operation 'Duck Hunt' Dismantles Qakbot).

Talos researchers said the phishing campaign they're tracking launched before the takedown and has continued since. This suggests that police disrupted only a part of Qakbot's operations. "The law enforcement operation may not have impacted Qakbot operators' spam delivery infrastructure but rather only their command-and-control servers," researchers said.

Following the takedown, multiple security researchers warned that while any cybercrime disruption is always welcome, law enforcement only managed to disrupt infrastructure. Whoever heads the operation and the developers they employ remains at large and could rebuild the compromised parts of the lucrative operation, they warned (see: Cybercrime Tremors: Experts Forecast Qakbot Resurgence).

Phishing Campaign Pushes Ransomware

Cisco Talos attributes the ongoing phishing campaign to Qakbot because metadata in the latest malicious files appears to have been created on the same machine as previous campaigns launched by the group. Researchers said one commonality across the malicious files is metadata pointing to a hard drive with the serial number 0x2848e8a8.

In this phishing campaign, attached Zip archives include link files designed to load an Excel add-in extension, aka .xll file that will install the Remcos backdoor to provide persistent remote access to an endpoint. Researchers also found the link file runs a PowerShell script designed to download from a remote IP address an executable that installs ransomware called Ransom Knight, aka Knight ransomware.

In May, the Cyclops ransomware-as-a-service operation launched Knight as version 2.0 of its Cyclops ransomware, saying they'd rewritten the crypto-locking malware from the ground up and were looking for collaborators to distribute it via spear-phishing campaigns, threat intelligence firm Kela reported. Advertisements that started appearing in May for "RaaS Knight" on cybercrime forums claimed that the ransomware could be used not just to forcibly encrypt Windows systems, but also Linux, VMware ESXi and macOS, it said.

Ransomware-as-a-service operations supply frequently updated crypto-locking malware to preselected business partners, aka affiliates. Operators typically keep 20% to 30% of every ransom paid, and the rest goes to the affiliate who infected the victim.

"Upon encryption, files will have a .knight, .knightl or .knight_l extension," security firm SentinelOne reported. It said Knight offers a more full-featured version of its ransomware including stealer functionality, as well as a Knight Lite version designed for "broader, non-targeted, spam-based attacks."

Knight, as Cyclops has rebranded itself, gives its affiliates a choice of profit-sharing approaches. "The actor behind the operation claimed it to be 'partner-friendly,' offering two ways of cooperation: 'no deposit,' where the Cyclops team is negotiating with victims; and 'with deposit,' where affiliates can conduct negotiations on their own," Kela said. "The actor also stated they take 'the lowest commission share in the market,' although he didn't specify the exact share they would take from successfully paid ransoms."

Knight maintains a data leak blog, where it lists a subset of victims who failed to pay a ransom, to try and pressure them and future victims into paying.

Cisco Talos suspects Qakbot, or someone who has hired Qakbot, is an affiliate of Knight and does not have anything to do with running the ransomware operation.

Whether Qakbot will reboot its own botnet infrastructure to infect endpoints with malware and control them remotely via its command-and-control servers remains to be seen. Qakbot was previously one of the world's longest-running botnets, having launched as a banking Trojan in 2008. After many years and upgrades later, senior FBI and Justice Department officials said the malware was tied to hundreds of millions of dollars in losses. Will Qakbot's operators walk away from such profit-making potential?

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.