The hackers behind the Qakbot malware are continuing their criminal activities, targeting new victims with ransomware and remote access trojans, despite the recent takedown of the operation by the FBI. The Qakbot malware, which had infected over 700,000 machines worldwide, causing millions of dollars in damages, was supposedly dismantled by the FBI in August. However, researchers from Cisco Talos have discovered that the hackers behind Qakbot are still active and have been distributing other malicious software since early August.
Key Takeaway
The Qakbot hackers are still active and targeting new victims with ransomware and remote access trojans despite the FBI’s takedown operation. The hackers are distributing malicious software through phishing emails, using urgent financial matters as a theme. While the full extent of the ongoing campaign is difficult to determine, it is evident that the Qakbot operators still pose a significant threat, with the ability to rebuild their infrastructure and resume large-scale attacks.
Qakbot Hackers Launch New Campaign
Since the FBI’s takedown, the Qakbot hackers have been carrying out a new campaign in which they distribute Ransom Knight ransomware, Remcos remote access trojan, RedLine information stealer malware, and Darkgate backdoor. The hackers have been sending phishing emails to victims, using urgent financial matters as a theme to lure them in. Researchers from Talos have identified filenames and themes consistent with previous Qakbot campaigns, leading them to assess with moderate confidence that the Qakbot-affiliated hackers are behind this new campaign.
Qakbot’s Targeted Victims and Distribution Network
While the exact scope of the campaign is difficult to determine, Talos researchers have found that the hackers primarily target users in Italy, as the malicious file names are written in Italian. However, English and German-speaking individuals have also been targeted. Qakbot is known for its highly effective distribution network, which allows for large-scale campaigns. Previous victims of Qakbot included a power engineering firm, financial services organizations, a defense manufacturer, and a food distribution company, all based in various locations across the United States.
The Impact of FBI’s Takedown Operation
Talos researchers state that the ongoing campaign indicates the FBI’s takedown operation, dubbed “Operation Duck Hunt,” may not have affected Qakbot operators’ spam delivery infrastructure but only their command and control servers. This suggests that Qakbot’s developers are still operational and capable of rebuilding their infrastructure to resume their illicit activities. The true impact of the takedown remains uncertain, as an unnamed FBI spokesperson declined to comment on the matter.
