The dreaded QakBot malware is back and is being spread to victims in the hospitality industry, experts warn.
A new Microsoft report claims that threat actors are sending phishing emails and impersonating IRS employees using QakBot. In the emails they deliver a PDF file claiming to be a guest list, but the document states that it cannot be viewed in the email client preview window, but instead asks to be viewed first downloaded.
In fact, victims who download and run the file actually download an MSI file that launches the malware DLL into memory. Microsoft said the campaign started a week ago, on December 11, adding that the malware was most likely created on the same day.
Duck season is back
QakBot was first built in 2008 and was originally designed as a banking Trojan. The aim was to steal login details for various banking services from the victims. However, over time it evolved into a malware dropper, now used by some of the world's largest and most dangerous ransomware operators.
Last summer, a team of international law enforcement agents, led by the FBI, managed to dismantle QakBot's infrastructure. By infiltrating the threat actor's network, law enforcement pushed an update to all infected endpoints that effectively killed the malware. The operation, called Duck Hunt, was hailed as a great success by the FBI.
Although it managed to prevent QakBot from being distributed and used for a few months, it seems the time for celebration is over. The new version has a few minor changes, security researchers said BleepingComputer, but added that it also contains a few “unusual bugs”. The bugs, the publication said, could indicate that the malware is still actively being developed and new versions could appear sooner or later.