Persistent threat actor reappears after FBI takedown of QakBot

Just a few weeks ago, US law enforcement said that it dismantled a prominent decade-old malware platform with ties to Russia. But the cybercriminal group using the loader is still active, researchers have now said.

The US Federal Bureau of Investigation (FBI) and European law enforcement agencies announced at the end of August that they had taken down the core computer infrastructure used by the hackers operating QakBot, a malware loader.

Authorities said at the time that the QakBot banking trojan, also known as QBot or Pinkslipbot, had been in use by cybercriminals and ransomware groups since 2008 and had infected more than 700,000 victim computers. The hackers were attacking health care companies and government agencies worldwide.

The sting, called Operation “Duck Hunt,” succeeded in removing the QakBot files from the victim’s network systems while still keeping the sensitive data secure.

However, a separate set of infrastructure used by the hackers to send phishing emails aimed at infected victims appears to have been untouched by the FBI takedown, according to Cisco Talos, the cyber intelligence unit of Cisco, a US technology conglomerate.

“Many people in the security industry wondered whether this (the FBI takedown) would mean that the Qakbot affiliates were gone forever or just temporarily out of work while rebuilding their infrastructure,” said the researchers.

“Talos assesses with moderate confidence that the threat actors behind Qakbot are still active and have been conducting a new campaign that started just before the takedown.”

Over the last two months, the threat actors have been sending malicious emails written in English, German, and Italian, in an effort to rebuild their network of infected computers that they use for attacks.

And because, just this past August, QakBot was identified by ReliaQuest threat researchers as one of only three malware loaders said to be responsible for nearly 80% of all cyberattacks, it’s likely that attacks will soon resume, said Cisco Talos.

“We assess the malware will continue to pose a significant threat moving forward. We see this as likely as the developers were not arrested and are still operational, opening the possibility that they may choose to rebuild the Qakbot infrastructure to fully resume their pre-takedown activity,” the report says.

Associated with the Russian-speaking Black Basta ransomware group, QakBot was originally designed as a banking trojan that has since been upgraded with new capabilities over the years.

The versatile malware can deliver remote-access payloads, steal sensitive data, allow lateral movement within targeted networks, and carry out remote code execution.

More from Cybernews:

Apple releases iOS 17 update to fix overheating iPhones

Nobel Prize winners names leaked before final decision

Attacks surge after researchers share POC, software maker furious

How government agencies conduct surveillance on smartphones

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked