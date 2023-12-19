The QakBot, also known as Qbot malware, has returned with a new phishing campaign after the International Low Enforcement operation dismantled the bot by inflating the command-and-control (C2) network.

In a previous attack, the notorious botnet was known to infect almost 700,000 computers globally and was linked to multiple attacks in the banking sector. The attackers were involved in a theft attack where they used to send emails and steal credentials and banking details.

This time, the attackers have targeted the hospitality industry, where the targets received mail that pretended to be sent from an International Revenue Service (IRS) employee. The tech giant Microsoft has warned about this fishing attack to the organizations almost a week after the campaign was launched.

The tech giant also concluded that the attackers started their campaign on December 11, 2023. They also confirmed that the targets have received the PDF file from the masquerading IRS employee and display it as “Depart preview is not available.” After that, the prompt asked the receiver to download the PDF file to view the message.

Once the user clicks the downloading button, the MSI file gets downloaded, enabling the installation and launch of the QakBot malware in the document link library (DLL). According to the sources, DLL was generated on the same day when the attackers launched their campaign, and the company named it 0x500.

According to the series of posts of Zscaler ThreatLabz on “X”, the attackers have utilized the advanced encryption standard (AES) to resurface the Qbot in the network as a 64-bit binary.

The Emergence Of QakBot For The First Time

QakBot, or, say, Qbot, was first observed in 2008 in the form of a banking trojan. Many attackers have used this botnet to steal banking credentials, credit card details, and website cookies. Over time, this malware evolved into a malware delivery service, where the developers partnered with other threat actors to provide access to networks for cybercrimes.

QakBot can be distributed within a network through a simple phishing campaign that utilizes a variety of lures. The most famous phishing attack that used Qbot was the reply-chain email attack, where the threat actors used to send e-mails to the target with some mischievous document attached to the message.

This document usually contains a link to download and receiver; as soon as the download button, QakBot automatically starts spreading throughout the computer network, providing all the access to the attacker.

Later the Qbot was dismantled in the operation called Operation Duck Hunt, conducted by the Law Enforcement in the year 2021. The FBI hijacked the botnet by gaining access to its encryption key, which was used for malware communication. They successfully disrupted the DLL module that is used to execute the command that terminated the QakBot malware.

The Reemergence of QakBot

But the shocking news came from Microsoft: QakBot has emerged again in the field of phishing. This time, the attackers have targeted the hospitality industry but in a low volume. Pim Trouerbach and Tommy Madjar, the security researchers of Microsoft, have also confirmed the QakBot, which is being distributed with the network, is new with some minor changes.

According to Trouerbach’s observation, this Qbot DLL uses AES to decrypt the string of the network instead of XOR in the previous version. He also added that the new version of Qbot is still in the developing phase because it contains some unusual bugs. Additionally, this Qbot will face difficulties in regaining its previous size, and threat actors are still attempting to receive their botnet.

