Cyber security News
From Search Results to Malware Lures: SEO Poisoning
Qakbot: The Evil Duck Reappears
Structural Foundations of Windows Architecture
LockBit 3.0 and Citrix Bleed Vulnerability (CVE-2023-4966)
Generative AI and Cybersecurity: New Threat Landscape
LockBit Ransomware Surge in 2023: A Record-Breaking Menace
Microsoft’s November 2023 Patch:Confronts Five Zero-Day Threats
Threat of Malvertising in the Cybersecurity Landscape
Cybersecurity News: Nov 5-Nov 11
What it takes to be a proficient threat hunter

Secknowers

The one who knows Security

ransomeware

News Threat Intel

Qakbot: The Evil Duck Reappears

Qakbot malware also known as Qbot has remained a persistent and formidable adversary since mid-2000s, it emerged as a banking Trojan. It has evolved and adapted itself against cyber defences to remain in the list of top malwares over a decade.

The Genesis of Qakbot

First identified in 2008, Qakbot was designed to steal financial data and confidential information from compromised system. Earlier versions used key-logging and web traffic analysis to get hold of these sensitive data. It’s also known as Pinkslipbot. It is a second stage malware which requires an initial access technique like phishing as a first stage .

Infrastructure

Qakbot uses a layered infrastructure for its Command and Control servers. Threat actors typically host these servers through providers who lease them out; consequently, these providers generally avoid cooperating with law enforcement agencies to shut them down. The graph below depicts the malware’s C2 structure. Tier1 nodes represent a subset of infected systems chosen as supernodes to establish communication with victim computers. Supernodes had it’s presence in 63 countries. The intermediary nodes acts as proxies between the main C2 server and the infected machines to cover the tracks.

Qakbot malware
Qakbot C2 Server Tires (CISA)

Evolutionary Phases

Over the years, the malware has undergone several evolutionary phases, showcasing its adaptability and resilience to security measures. It evolved from a basic banking Trojan to a multifunctional threat capable of employing various attack vectors, including exploit kits, phishing emails, and lateral movement within networks. One significant evolutionary leap involved the integration of worm-like capabilities, enabling Qakbot to propagate across networks swiftly. It utilized brute force techniques to spread laterally, infecting interconnected devices and networks, amplifying its impact and complicating mitigation efforts.

Ransomware Gangs using Qakbot

Various financially motivated ransomware groups are known to utilize Qakbot as an infection vector. These list includes Conti, ProLock, Egregor, REvil, MegaCortex, Black Basta, Royal.

FBI-Led Law Agencies takes down Qakbot

In August 2023, FBI in collaboration with other Law enforcement agencies were able to take down the infrastructure of Qakbot and seize bitcoins worth about $8.6 million. The operation identified over 700,000 infected machines with the malware, of which 200,000 were in the US. Redirecting the malicious traffic to a controlled environment facilitated taking down the malware network, instructing the infected machines to download an uninstaller.

Qakbot Returns

About 3 months after the take down in December 2023, Microsoft Threat intelligence reported phishing campaigns connected to Qakbot. On it’s return the primary targets were hospitality sector. The phishing email was masquerading IRS as shown in the image below.

Qakbot phishing Email

Qakbot Phishing Email (Microsoft)

Conclusion

Qakbot has been around for a long time and it’s roots are strong. Cyber criminals from Eastern European operates it. According to a report published by Checkpoint, Qakbot was the most prevalent malware in multiple regions globally.

Qakbot attack regions

Top Malware Groups (Checkpoint)

The Maware targeted multiple sectors.

Qakbot attack sectors

Impacted Sectors (Checkpoint)

Although the infrastructure has been taken down, the individuals responsible for the malware and their connections continue to persist. They will learn their lessons and make a comeback. As cybercriminals grow stronger, the security solutions also advance. Therefore, prepare for such attacks by implementing and maintaining robust security measures.