After the bust: Qakbot hackers still active
At the end of August 2023, the FBI proudly announced the dismantling of the Qakbot infrastructure. However, the masterminds behind Qakbot are still active and distributing malware, including the Ransomware Ransom Knight (Cyclops) and the backdoor Remcos. Read our blog article to learn about the threats posed by Qakbot and its successors and how you can protect yourself.
Hackers used Qakbot for years to extort companies and government agencies. The main target since January 2020 has been healthcare in the U.S., but other industries in other countries have also been affected.
The botnet provided a command-and-control infrastructure that could be used to attack companies and individuals around the globe. According to investigators, the server infrastructure was located in Germany. Investigators took it over and deprived the perpetrators of access to the systems. Federal Minister of the Interior Nancy Faeser spoke of a “major and effective strike.”
Effective, yes, but unfortunately not in the long term: The masterminds behind Qakbot are still active and distribute malware, including the ransomware Ransom Knight (Cyclops) and the backdoor Remcos – both infiltrated via phishing emails.
What is Qakbot?
Qakbot, also known as “Qbot” and “Pinkslipbot”, is a malicious computer worm and banking Trojan that was first discovered in 2009. The malicious code targets Windows-based systems and is designed to collect confidential information, especially banking data and login credentials. Qakbot often spreads via infected email attachments, malicious websites and peer-to-peer networks.
The malware is capable of performing a variety of malicious activities, including keylogging (recording keystrokes), data theft, inserting backdoors into infected systems, and spreading the malware itself. In addition, Qakbot is able to persist in an infected system, i.e. remain active even after the computer is rebooted.
QakBot has appeared in two different ways so far: On the one hand, QakBot is bundled with contaminated Microsoft Office attachments, which are used to carry out attacks against affected companies. On the other hand, QakBot works in combination with the ProLock ransomware, in which case QakBot serves as a door opener.
QakBot-infected emails contain links pointing to compromised websites, from which contaminated files are then supposed to be downloaded. Running these files then downloads the ransomware via PowerShell.
Different malware, still dangerous
When the Qakbot rings twice we wrote in this space about two years ago, and despite the shutdown of the 700,000 or so Qakbot drones, security analysts believe that although the malware botnet’s command-and-control infrastructure has been seized by law enforcement, the infrastructure is intact and the operators have – apparently successfully – sought ways to continue distributing malicious code.
In doing so, the perpetrators were identified by the use of malicious LNK files named and formatted in the same way as those previously associated with Qakbot. These include a dozen file names that make it appear as if they are, for example, an invoice or a bank transfer. About half of them are written in Italian, which suggests that the malware botnet has been focusing on a certain region lately. The LNK files are in a ZIP archive that also contains the Remcos backdoor disguised as a legitimate Excel XL add-on file.
Qakbot masterminds now use Ransomware-as-a-Service
While it appears that the “malware” part of the botnet has been seriously disrupted; the attackers are not using malware previously associated with Qakbot. However, they seem to have become customers of the ransomware-as-a-service provider “Cyclops” instead. This group also recently attracted attention for using RedLine malware.
So, security experts are skeptical because the main actors have not been identified and caught. In general, it can be assumed that the existing malware will be modified for new campaigns. So the danger remains, and with it the question of how best to protect against such attacks.
Email firewalls against Qakbot
It is also necessary to use a powerful email firewall to protect against spam and malware. This can ward off the dangers from the very beginning. NoSpamProxy offers numerous features for this, which protect you from attacks with malware like QakBot.
Optimal protection against Qakbot with 32Guards
New malware trends, new types of spam attacks and emerging threats of all kinds are detected by 32Guards in the shortest possible time. And 32Guards is constantly learning: The growing database makes it possible to continuously improve 32Guards and adapt it to the current threat situation.
Unlike conventional cybersecurity solutions, 32Guards takes a global approach to analyzing current threats: The information of the individual NoSpamProxy instances, for example, file name, file size or hash value, is combined by a higher-level malware intelligence and evaluated in real time. This enables rapid analysis and thus immediate reaction to acute danger situations.
Reliably protect against QakBot with NoSpamProxy
With NoSpamProxy and the 32Guards service, you can reliably protect your company from malware like QakBot. Request your free trial version now!