QakBot Threat Actors Still in Action, Using Ransom Knight and Remcos RAT in Latest Attacks
6.1.2023 Virus  The Hacker News


Despite the disruption to its infrastructure, the threat actors behind the QakBot malware have been linked to an ongoing phishing campaign since early August 2023 that led to the delivery of Ransom Knight (aka Cyclops) ransomware and Remcos RAT.

This indicates that "the law enforcement operation may not have impacted Qakbot operators' spam delivery infrastructure but rather only their command-and-control (C2) servers," Cisco Talos researcher Guilherme Venere said in a new report published today.

The activity has been attributed with moderate confidence by the cybersecurity firm to QakBot affiliates. There is no evidence to date that the threat actors have resumed distributing the malware loader itself post-infrastructure takedown.

QakBot, also called QBot and Pinkslipbot, originated as a Windows-based banking trojan in 2007 and subsequently developed capabilities to deliver additional payloads, including ransomware. In late August 2023, the notorious malware operation was dealt a blow as part of an operation named Duck Hunt.


The latest activity, which commenced just before the takedown, starts with a malicious LNK file likely distributed via phishing emails that, when launched, detonates the infection and ultimately deploys the Ransom Knight ransomware, a recent rebrand of the Cyclops ransomware-as-a-service (RaaS) scheme.

The ZIP archives containing the LNK files have also been observed incorporating Excel add-in (.XLL) files to propagate the Remcos RAT, which facilitates persistent backdoor access to the endpoints.

Some of the file names being used in the campaign are written in Italian, which suggests the attackers are targeting users in that region.

"Though we have not seen the threat actors distributing Qakbot post-infrastructure takedown, we assess the malware will likely continue to pose a significant threat moving forward," Venere said.

"Given the operators remain active, they may choose to rebuild Qakbot infrastructure to fully resume their pre-takedown activity."

Cisco Talos told The Hacker News that the attack chains are also being used to deliver other malware such as DarkGate, MetaStealer, and RedLine Stealer.

"Identifying the true scope is difficult but as we've already seen the QakBot distribution network is highly effective and has the ability to push large scale campaigns," Venere told the publication. "We have observed phishing emails distributing these malware to Italian, German, and English victims which shows the campaign is widespread."