A new wave of phishing messages distributing the QakBot malware has been observed, more than three months after a law enforcement effort saw its infrastructure dismantled by infiltrating its command-and-control (C2) network.
Microsoft, which made the discovery, described it as a low-volume campaign that began on December 11, 2023, and targeted the hospitality industry.
“Targets received a PDF from a user masquerading as an IRS employee,” the tech giant said in a series of posts shared on X (formerly Twitter).
“The PDF contained a URL that downloads a digitally signed Windows Installer (.msi). Executing the MSI led to Qakbot being invoked using export ‘hvsi’ execution of an embedded DLL.”
Traditional security measures won’t cut it in today’s world. It’s time for Zero Trust Security. Secure your data like never before.
Microsoft said that the payload was generated the same day the campaign started and that it’s configured with the previously unseen version 0x500.
QakBot, also called QBot and Pinkslipbot, was disrupted as part of a coordinated effort called Operation Duck Hunt after the authorities managed to gain access to its infrastructure and instructed the infected computers to download an uninstaller file to render the malware ineffective.
Traditionally distributed via spam email messages containing malicious attachments or hyperlinks, QakBot is capable of harvesting sensitive information as well as delivering additional malware, including ransomware.
In October 2023, Cisco Talos revealed that QakBot affiliates were leveraging phishing lures to deliver a mix of ransomware, remote access trojans, and stealer malware.
The return of QakBot mirrors that of Emotet, which also resurfaced in late 2021 months after it was dismantled by law enforcement and has remained an enduring threat, albeit at a lower level.
While it remains to be seen if the malware will return to its former glory, the resilience of such botnets underscores the need for organizations to avoid falling victim to spam emails used in Emotet and QakBot campaigns.