QakBot Threat Actors Still in Action, Using Ransom Knight and Remcos RAT in Latest Attacks

Despite encountering disruption to its infrastructure, the individuals responsible for the QakBot malware have been linked to an ongoing phishing campaign that commenced in early August 2023. This campaign resulted in the distribution of Ransom Knight (also known as Cyclops) ransomware and Remcos RAT.

The noteworthy aspect here is that “the law enforcement operation may not have impacted Qakbot operators’ spam delivery infrastructure but rather only their command-and-control (C2) servers,” as noted by Guilherme Venere, a researcher at Cisco Talos, in a newly published report.

The cybersecurity firm has attributed this activity with moderate confidence to QakBot affiliates. To date, there is no evidence indicating that the threat actors have resumed the distribution of the QakBot malware loader following the takedown of their infrastructure.

Originating in 2007 as a Windows-based banking trojan, QakBot, also known as QBot and Pinkslipbot, subsequently evolved to deliver additional payloads, including ransomware. In late August 2023, this notorious malware operation faced a setback during an operation called Duck Hunt.

The most recent activity, which began just before the infrastructure takedown, initiates with a malicious LNK file, likely disseminated through phishing emails. When executed, this LNK file triggers the infection process and ultimately deploys the Ransom Knight ransomware, which is a recent rebranding of the Cyclops ransomware-as-a-service (RaaS) scheme.

It’s worth noting that the ZIP archives containing the LNK files have been observed to incorporate Excel add-in (.XLL) files, which are used to propagate the Remcos RAT. This RAT allows for persistent backdoor access to compromised endpoints.

Interestingly, some of the filenames utilized in this campaign are written in Italian, indicating that the threat actors may be targeting users in that particular region.

In conclusion, despite the absence of QakBot distribution post-infrastructure takedown, there is an assessment that this malware will likely continue to pose a significant threat in the future. Given that the operators remain active, they may opt to rebuild the QakBot infrastructure to fully reinstate their pre-takedown activities.

Megafea Editors