The Qakbot botnet has been disrupted this summer, but cybercriminals are not ready to give up on the malware: Microsoft’s threat analysts have spotted a new phishing campaign attempting to deliver it to targets in the hospitality industry.
Qakbot and its (temporary?) downfall
Qakbot, also known as Qbot, started as banking malware but has since evolved into a versatile vehicle for malware and ransomware distribution.
Its long-term survival and success are attributed to its operators’ periodically altering their tools and tactics, pausing spamming attacks for extended periods before returning with modified strategies.
In August, the US Department of Justice (DOJ) has successfully disrupted the Qakbot botnet by seizing 52 servers and removing the malware loader from over 700,000 victim computers worldwide. The operation, named “Duck Hunt,” involved international collaboration with countries such as France, Germany, the Netherlands, the United Kingdom, Romania, and Latvia.
At the time, the DOJ seized over $8.6 million in cryptocurrency from the wallets of the Qakbot cybercriminal organization and identified compromised account credentials, while the FBI also gained access to Qakbot infrastructure, uncovering files related to botnet operation, ransomware victims, and details about ransomware attacks.
But disruption does not equal annihilation, and a resurgence of Qakbot distribution efforts was to be expected.
A new Qakbot phishing campaign
The Microsoft Threat Intelligence team recently identified a new Qakbot phishing campaign, the first since the takedown.
First observed on December 11, the campaign was small and targeted the hospitality industry via email. The email came from a sender pretending to be an IRS employee and contained a PDF named GuestListVegas.pdf.
Qakbot phishing email. (Source: Microsoft Threat Intelligence)
“The PDF contained a URL that downloads a digitally signed Windows Installer (.msi). Executing the MSI led to Qakbot being invoked using export ‘hvsi’ execution of an embedded DLL,” the analysts noted.
They added that the DLL payload was created on the same day the campaign started, and provided two IP addresses defenders can block to prevent the running of the malware.