QakBot malware has re-emerged in phishing campaigns, following a disruption of the botnet by law enforcement during the summer.
In August, a multinational law enforcement initiative named Operation Duck Hunt successfully infiltrated the servers of the QakBot admin, meticulously mapping out the botnet’s infrastructure.
Upon obtaining the botnet’s encryption keys, which were crucial for malware communication, the FBI seized control and deployed a customized Windows DLL module to compromised devices. This DLL executed a command that effectively terminated the QakBot malware, leading to the successful disruption of the entire botnet.
All about the return of Qbot malware
Microsoft has issued a warning about QakBot’s resurgence in a phishing campaign masquerading as an email from an IRS employee. The observed attack, initially targeting the hospitality sector, was first detected on December 11th.
The email disguises itself as a PDF file resembling a guest list with a message stating “Document preview is not available.” Subsequently, it urges the user to download the PDF for proper viewing. However, upon clicking the download button, recipients unwittingly download an MSI file. Upon installation, this MSI file activates the Qakbot malware DLL, injecting it into the system’s memory.
On the very day the phishing campaign commenced, December 11th, Microsoft reveals that the DLL was generated. It operates under the campaign code ‘tchk06’ and connects to command and control servers at 188.8.131.52:443 and 184.108.40.206:443.
Microsoft tweeted, “Most notably, the Qakbot payload delivered is configured with the previously unseen version 0x500,” underscoring the malware’s ongoing evolution.
Security researchers Pim Trouerbach and Tommy Madjar have independently verified that the distributed Qakbot payload is indeed a new iteration, featuring some minor modifications.
According to Trouerbach, there are slight modifications in the latest QakBot DLL, such as the use of AES for decrypting strings instead of XOR, as seen in the previous version.
Additionally, Trouerbach suggests that the new version is likely still in development, citing the presence of some unusual bugs.
While it is too soon to tell if Qbot will have trouble regaining its former size, admins and users need to be on the lookout for reply-chain phishing emails that are commonly used to distribute the malware.
Before executing downloaded files from the internet, it’s advisable to scan them using your antivirus (AV) tool. Most modern security tools are equipped to detect the old threat, even if its authors have implemented evasion-enhancing refinements in the code.