NEWS  Security  December 19, 2023  Reading time: 2 Minute(s)

Max (RS editor)

A resurgence of the notorious QakBot malware has been detected in a recent low-volume phishing campaign, posing a renewed threat to the cybersecurity landscape. Microsoft, the tech giant at the forefront of this discovery, disclosed details about the campaign that specifically targeted the hospitality industry. The phishing messages, which started circulating on December 11, 2023, carried a PDF purportedly from an IRS employee, concealing a URL that led to the download of a digitally signed Windows Installer (.msi). This installer triggered the execution of QakBot, utilizing a novel version 0x500 configuration.

The Resurfacing Threat

Despite a prior law enforcement initiative, Operation Duck Hunt, which dismantled QakBot's infrastructure, the malware has made a comeback, demonstrating a concerning level of resilience. Microsoft reported the payload's activation through an export 'hvsi' execution of an embedded DLL. The Zscaler ThreatLabz further identified the resurfaced QakBot as a 64-bit binary employing AES for network encryption, with POST requests directed to the path /teorema505.

QakBot's Modus Operandi

QakBot, also known as QBot and Pinkslipbot, has a history of being distributed through spam emails containing malicious attachments or hyperlinks. Capable of harvesting sensitive information and delivering additional malware, including ransomware, QakBot poses a multifaceted threat to organizations. Cisco Talos previously revealed that QakBot affiliates employed phishing lures to distribute a combination of ransomware, remote access trojans, and stealer malware.

Comparisons to Emotet

The reappearance of QakBot draws parallels to the resurgence of Emotet, another notorious malware that reemerged after being dismantled by law enforcement. Emotet, like QakBot, has persisted as an enduring threat, albeit at a lower level. These instances emphasize the evolving nature of cyber threats and the challenges faced by organizations in maintaining robust cybersecurity measures.

Implications for Organizations

The return of QakBot highlights the persistent threat posed by resilient botnets. Organizations, especially those in the hospitality sector, must remain vigilant against falling victim to spam emails associated with QakBot and similar campaigns. The agility demonstrated by these malware strains underscores the importance of continuous improvement in cybersecurity strategies and threat detection mechanisms.

As QakBot resurfaces in a new wave of phishing attacks, the cybersecurity landscape faces an evolving challenge. The hospitality industry, in particular, is urged to enhance its defenses against this renewed threat. The collaborative efforts of security experts, such as Microsoft and Zscaler ThreatLabz, play a crucial role in monitoring and responding to these cyber threats. 

 COVER IMAGE BY VECTORJUICE ON FREEPIK