Qakbot is back and targets the Hospitality industry

Experts warn of a new phishing campaign distributing the QakBot malware, months after law enforcement dismantled its infrastructure.

In August, the FBI announced that the Qakbot botnet was dismantled as a result of an international law enforcement operation named Operation ‘Duck Hunt.’

Qakbot, also known as QBot, QuackBot and Pinkslipbot, is an info-stealing malware that has been active since 2008. The malware spreads via malspam campaigns, it inserts replies in active email threads.

Duck Hunt is one of the largest U.S.-led disruptions of a botnet infrastructure used by crooks to commit criminal activities, including ransomware attacks.

Despite the law enforcement operation, the threat actors behind QakBot are still active, Cisco Talos warns.

According to the researchers, the threat actors behind the Qakbot bot have been conducting a campaign since early August 2023. The attacks aimed at distributing Ransom Knight ransomware and the Remcos RAT.

This campaign began before the FBI shut down the Qakbot infrastructure in late August, but it is still ongoing. The experts speculate that the feds’ operation may not have impacted spam delivery infrastructure and its impact was limited to part of the C2 infrastructure.

Talos linked this campaign to Qakbot affiliates and speculated that developers are still operational.

Now Microsoft experts are warning of a new series of attacks distributing the QakBot malware.

The IT giant has identified a new campaign that began on December 11, it was low in volume and targeted the hospitality industry. Threat actors sent a PDF to the victims, the document comes from a user masquerading as an IRS employee.

The PDF contained a URL that downloads a digitally signed Windows Installer (.msi). Upon executing the installer, the Qakbot is invoked using export “hvsi” execution of an embedded DLL.

The analysis of the embedded configuration EPOCH timestamp reveals that the payload was generated on December 11. This campaign is coded as ‘tchk06,’ which means the payload was already configured with the previously undetected version 0x500.

“Microsoft Defender XDR detects the malicious components and activity associated with these new Qakbot campaigns.” concludes Microsoft.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)