The hackers behind Qakbot, a infamous malware operation that was just lately “dismantled” by the FBI, are nonetheless lively and proceed to focus on new victims, researchers say.
The FBI introduced in August that it had efficiently “disrupted and dismantled” the infrastructure of the long-running Qakbot malware, which had contaminated greater than 700,000 machines worldwide to trigger tons of of thousands and thousands of {dollars} of injury. The FBI mentioned on the time that the takedown, dubbed “Operation Duck Hunt”, included the seizure of 52 servers, which the company mentioned would “completely dismantle” the botnet.
Regardless of these efforts, the hackers behind the Qakbot malware proceed to spam new victims, based on new analysis from Cisco Talos.
The researchers say they’ve noticed hackers finishing up a marketing campaign since early August throughout which they’ve been distributing Ransom Knight ransomware, a current rebrand of the Cyclops ransomware-as-a-service operation, and the Remcos distant entry trojan, which offers attackers with full entry to a sufferer’s machine by sending phishing emails. The attackers have additionally begun to distribute the RedLine info stealer malware and the Darkgate backdoor, Talos researcher Guilherme Venere tells information.killnetswitch.
Talos says it assesses with “reasonable confidence” that Qakbot-affiliated hackers are behind this marketing campaign, noting that the filenames used, together with themes of pressing monetary issues, are in step with earlier Qakbot campaigns.
Talos notes that the malicious file names getting used are written in Italian, which suggests the hackers are principally focusing on customers in that area, including that the marketing campaign has additionally focused English and German-speaking people. Venere tells information.killnetswitch that figuring out the true scope of the marketing campaign is tough, however mentioned that the Qakbot distribution community is extremely efficient and has the power to push large-scale campaigns.
Earlier Qakbot victims have included an influence engineering agency primarily based in Illinois; monetary providers organizations primarily based in Alabama, Kansas, and Maryland; a protection producer primarily based in Maryland; and a meals distribution firm in Southern California, based on the FBI.
This marketing campaign, which began previous to the FBI’s takedown, is ongoing, based on the researchers. This means that Operation Duck Hunt could not have impacted Qakbot operators’ spam supply infrastructure, however somewhat solely their command and management (C2) servers, based on Talos.
“Qakbot will doubtless proceed to pose a major risk shifting ahead, because the builders weren’t arrested and Talos assesses they’re nonetheless operational,” Venere mentioned. Talos famous that the attackers could select to rebuild the Qakbot infrastructure, enabling them to completely resume pre-takedown exercise.
