While the Qakbot banking Trojan was eradicated in August by a large-scale law enforcement operation, the people behind it are still active and pose a threat to users, researchers said today.
According to a report from Cisco’s Talos threat intelligence group, its experts can say with “moderate confidence” that the creators and operators of Qakbot are actively working on a new campaign, this time distributing a variant of the Knight malware, which rebranded from Cyclops in July. Knight is a ransomware threat that operates as a service, distributed through phishing and extorting money from victimized companies by threatening to sell exfiltrated data.
The Talos team based their analysis on identifying drive serial numbers in LNK, or Windows shortcut, file metadata from computers associated with the earlier Qakbot attacks. Despite the Qakbot actors’ attempts to clean metadata from the specific files used by Talos, the team was still apparently able to identify one machine as being linked to those attacks.
“Some of the filenames are written in Italian, which suggests the threat actors may be targeting users in that region,” the Talos blog said. “The LNK files are being distributed inside Zip archives that also contain an XLL file.”
XLL files, the group noted, are a Microsoft Excel-related file format extension, which appear similar to regular .xls files in an Explorer window. The XLL files, if opened, install the Remcos backdoor, which is a remote administration tool that works in concert with Knight malware to gain access to targeted systems.
Talos said that the Qakbot actors are unlikely to be the masterminds behind the Knight ransomware service itself, and are instead probably customers. The FBI-led enforcement action that took down Qakbot’s command-and-control servers in August, therefore, likely didn’t affect the group’s phishing infrastructure. This may also allow the group to simply rebuild its own back-end systems for Qakbot, leading to a potential resurgence.
Qakbot, according to Talos, was a serious threat, and one that was delivered in a particularly clever way. Rather than sending unprompted phishing emails to distribute the Trojan, the actors behind Qakbot hijacked Exchange servers at multiple third-party organizations, formatted the text of legitimate emails and added the Qakbot payload, then sent the malicious emails to legitimate message threads in target organizations.