Qakbot malware returns, despite the FBI saying it took it out
The FBI’s mission against the dreaded Qakbot malware operators may not have been as successful as initially thought, because in real-life comic books, the cyber villains are back with a vengeance.
Cybersecurity researchers from Cisco Talos recently announced this a new report stating that QakBot operators are likely behind a brand new phishing campaign (active since August this year), aiming to deliver the Cyclops and Remcos RATs (remote access trojan).
“The law enforcement operation may not have affected Qakbot operators’ spam delivery infrastructure, but only their command and control (C2) servers,” the report said.
Operation Duck Hunt
The news follows an announcement in late August 2023 from FBI Director Christoper Wray, who spoke about taking out one of the largest and most disruptive malicious botnet networks in existence during Operation Duck Hunt.
“The victims ranged from financial institutions on the East Coast to a government critical infrastructure contractor in the Midwest to a medical device manufacturer on the West Coast,” Wray said in the video. “This botnet provided cybercriminals like these with a command-and-control infrastructure consisting of hundreds of thousands of computers that were used to launch attacks on individuals and companies around the world.”
Although Talos researchers link the campaign to QakBot affiliates, they do emphasize that they distributed other RATs, rather than the QakBot loader itself. “While we have not seen the threat actors spreading Qakbot following the infrastructure takedown, we believe the malware will likely continue to pose a significant threat in the future,” Venere said.
“We are just as likely to see this because the developers have not been arrested and are still operational, which opens the possibility that they could choose to rebuild the Qakbot infrastructure.”
QakBot is a piece of malware that is more than ten years old, also known as Qbot or Pinkslipbot. It targets Windows-powered endpoints and has evolved significantly over the years to also deliver ransomware, among other things.