Despite an FBI takedown, the operators behind Qakbot malware seem to be moving freely to launch their brand-new phishing scheme.
The cybersecurity researchers grew alarmed by this report. As a matter of fact, they said that the threat actors remain active in attacking their target victims.
Qakbot Malware Returns With a Vengeance
FBI said back in August that it already "disrupted and dismantled" the notorious Qakbot malware operation. However, it appears that the hackers responsible for this conundrum are far from defeated.
Recent research by Cisco Talos suggests that these cybercriminals remain active and continue to target unsuspecting victims with new and evolving strategies.
Operation Duck Hunt is Not Successful
The FBI's Operation Duck Hunt, as it was named, did seem like a significant win. It involved the seizure of 52 servers, which was anticipated to "permanently dismantle" the Qakbot botnet.
Qakbot, a long-running malware operation, had wreaked havoc on over 700,000 machines globally, causing losses amounting to hundreds of millions of dollars. However, as the recent findings reveal, the victory might have been far from over.
Cisco Talos' latest research indicates that since early August, the Qakbot hackers have been actively conducting campaigns and they showed no signs of slowing down.
The tactics of the threat actors include distributing Ransom Knight ransomware (a rebrand of the Cyclops ransomware-as-a-service operation), the Remcos remote access trojan, and the distribution of the RedLine information stealer malware and the Darkgate backdoor via phishing emails. The threat landscape continues to evolve up to this day.
Talos experts note that there is a "moderate confidence" assessment that Qakbot-affiliated hackers are responsible for this ongoing campaign. The evidence lies in the choice of filenames and the consistent theme of urgent financial matters, aligning with previous Qakbot campaigns.
This botnet provided cybercriminals like these with a command-and-control infrastructure consisting of hundreds of thousands of computers used to carry out attacks against individuals and businesses all around the globe," FBI Director Christoper Wray said.
The hackers have also introduced an interesting twist by using filenames in Italian, suggesting a primary focus on Italian-speaking regions, TechCrunch writes in a report. Nonetheless, the campaign has also cast its net wide, targeting English and German-speaking individuals.
Cracking Qakbot is Still a Challenge for the FBI
Understanding the exact scope of this campaign remains a challenge. Qakbot's distribution network has proven to be highly effective, and capable of executing large-scale campaigns. Given the elusive nature of cybercriminals, the true extent of their activities is hard to pinpoint.
The FBI's records show that past victims of Qakbot have included a power engineering firm in Illinois, financial services organizations in Alabama, Kansas, and Maryland, a defense manufacturer in Maryland, and a food distribution company in Southern California.
It's imperative to recognize that this ongoing campaign began before the FBI's takedown operation. This hints that Operation Duck Hunt might not have significantly impacted the Qakbot operators' spam delivery infrastructure, focusing mainly on their command and control (C2) servers.