Notorious Qakbot Botnet Threat Continues Despite FBI Takedown
The FBI may have dealt a blow to the ransomware scourge with August’s takedown of Qakbot, a notorious botnet. But it looks like the hackers behind the botnet are still a threat.
Security researchers at Cisco's Talos group recently spotted evidence that some of the Qakbot infrastructure remains intact and continues to send out phishing emails designed to infect targets with ransomware.
The findings are based on a phishing email campaign that began in early August, weeks before the FBI hijacked the control servers for Qakbot, which should have shut it down. But since then, the phishing campaign has remained active.
“We believe the FBI operation didn’t affect Qakbot’s phishing email delivery infrastructure but only its command and control servers,” Cisco’s Talos group said. “We tracked this new activity by connecting the metadata in the LNK files used in the new campaign to the machines used in previous Qakbot campaigns.”
LNK or Shell Link files are Windows shortcuts that can be used to open a separate file, folder, or application. In this case, the phishing emails have been circulating the LNK files with names such as “ATTENTION-Invoice-29-August.docx.lnk” or “Booking info.pdf.lnk” to trick recipients into opening them, which can then download and execute a malicious payload.
Cisco’s researchers noticed the recent phishing campaign contains a drive serial number “0x2848e8a8” within the metadata of the LNK files. This serial number was also found in the metadata in earlier Qakbot phishing email campaigns.
Cisco adds that the remaining Qakbot infrastructure appears to be distributing a variant of the Cyclops/Ransom Knight ransomware, along with a backdoor called Remcos. "We do not believe the Qakbot threat actors are
Read more on pcmag.com
