The Qakbot malware botnet’s command-and-control servers were seized by an international law enforcement operation in August, but they did not nab any of the perpetrators. It now appears that they also did not nab the group’s email infrastructure, as a ransomware campaign tied to its operators has persisted from before the August action to present.
The attackers are no longer using the attack tools associated with the malware botnet, but instead have contracted the services of other ransomware providers. This signals intent to leverage what resources remain to them to rebuild Qakbot, or something very similar.
Qakbot malware botnet not yet 100% out of business
The August action saw 52 servers seized along with a hoard of over $8 million in cryptocurrency. This was enough for the FBI to confidently declare that the malware botnet was “permanently disabled.”
While it is true that it is at least temporarily disabled, the threat is not gone until the operators are found and jailed. They are already indicating that they will continue to be a problem by using Ransom Knight and RedLine ransomware in conjunction with their existing email servers, likely looking to rebuild in the same manner that Emotet and Trickbot did after their own law enforcement raids. Both of those malware botnets were able to return to essentially full capacity in about one year after they were compromised by law enforcement.
As long as the perpetrators are free and phishing emails continue to enjoy relatively high rates of success, any cyber criminal operation of this sort can rebuild. Qakbot is certainly a brand that the operators would be interested in preserving, in existence for about 15 years now and still one of the most popular pieces in ransomware toolkits prior to the August takedown.
Operators remain on the loose, still a threat
Security researchers have tied the current campaign to the Qakbot operators with high confidence. The current email campaign began before the malware botnet was taken down, persisted through the law enforcement action, and has continued after it. The only change is the shift to other ransomware-as-a-service contractors after the command-and-control servers became unavailable. It shares malicious LNK files that are usually attached to the phishing emails, about a dozen or so that have names that the group tends to re-use.
One of the telltale signs is that the group likes to send files with Italian names, indicating that it focuses on the country for some reason. Other files are in English, but all are disguised as something related to an urgent financial matter in the hopes of getting victims to open them without scrutinizing them too much.
Organizations should be on the lookout for phishing emails of this nature, which are sent with a ZIP attachment that contains the malicious LNKs along with an Excel XLL that will install the Remcos backdoor when opened. The former Qakbot operators appear to be doing business with the Cyclops and RedLine ransomware-as-a-service groups until they get back on their feet.