Researchers with Cisco Talos have found clues leading them to believe with “moderate confidence” that the threat actors behind Qakbot are still active and have been conducting a campaign spreading ransomware.
Researchers found that since early August, the threat actors they have linked to Qakbot have been distributing the Ransom Knight ransomware and Remcos backdoor through a phishing campaign. The campaign has not stopped even after the FBI announced on Aug. 29 that it had launched a widespread operation to disrupt and dismantle the botnet.
“Though we have not seen the threat actors distributing Qakbot itself post-infrastructure takedown, we assess the malware will continue to pose a significant threat moving forward,” said Guilherme Venere with Cisco Talos in a Thursday analysis. “We see this as likely as the developers were not arrested and are still operational, opening the possibility that they may choose to rebuild the Qakbot infrastructure.”
Venere said that the campaign was attributed to Qakbot affiliates because the metadata found in the LNK files in the attack matches metadata used by machines in previous Qakbot operations, which are tracked as “AA” and “BB.”
“In January 2023, we wrote a blog post on using metadata from LNK files to identify and track threat actors,” said researchers. “We specifically detailed how one machine used in the ‘AA’ campaign with a drive serial number of ‘0x2848e8a8’ was later used in a campaign for the new botnet named ‘BB.’ After our blog’s publication, primary Qakbot actors responsible for the ‘AA’, ‘BB’, and ‘Obama’ campaigns started to wipe out the metadata in their LNK files to make detection and tracking harder.”
If these actors are, in fact, the ones behind Qakbot, this indicates that the disruption may have only impacted Qakbot’s command-and-control (C2) servers as opposed to their spam delivery infrastructure. Over the years, law enforcement has launched several disruptions of the infrastructure leveraged by threat groups, targeting malware families like Emotet and Snake. These types of disruptions do upend threat group activities and may force them to do a significant amount of retooling.
However, disruptions are exactly that - disruptions - and they don’t signify a permanent ending to malware. After the FBI announced a takedown effort against Emotet in 2021, for instance, the malware returned ten months later.
It is still possible for cybercriminals to rebuild their malware infrastructure, and even if they don’t do that, as the Talos team's research shows, the threat actors behind Qakbot are still using other types of malware to launch attacks. This ongoing campaign shows that while law enforcement disruptions certainly slow malware operators down, other means - like arrests of threat group members themselves - may have a more lasting impact.
“We want to believe they got hit pretty hard by the takedown, but it’s difficult to assume they will just give up on their golden egg that quick," said Venere. "They could be using these different malware campaigns to make cash or rebuild their infected network again. Qakbot threat actors usually took a couple months every year to develop and improve the malware, so we should see in a couple months more if they come back or not."
It’s important to note that there are different layers of complexity when it comes to attribution. Talos researchers made the attribution with “moderate assessment,” and other security researchers have stated on Twitter that the threat actors are not attributed to Qakbot.
“A pair of external researchers, @malware_traffic and @ffforward, have contacted us with alternative interpretations of the data published in this post, asserting their belief that this is not linked to Qakbot,” said Matt Olney, director of threat intelligence and interdiction with Cisco Talos.
“Attribution is difficult, and while we find our links compelling, we certainly understand that different analysts can reach different conclusions,” said Olney. “We agree there is some room for varying interpretation in this case, which is why we assigned this only a moderate level of confidence. We thank them for their time to read and share feedback on our research. No one company has a perfect view of all actor behaviors, and this is a team sport, working with other researchers to understand their viewpoint on the actors we are tracking makes us all better defenders.”