QakBot Botnet Remains Active as Hackers Spread Ransom Knight Ransomware

According to experts at Cisco Talos, the QakBot botnet (also known as QBot, Quakbot, and Pinkslipbot) is still active and currently involved in distributing ransomware and backdoors. This comes despite an announcement in August of this year by law enforcement agencies, led by the FBI, claiming to have dismantled QakBot in a major international operation called “Duck Hunt.”

Background on Operation Duck Hunt

The Duck Hunt operation included Europol and law enforcement agencies from France, Germany, Latvia, Romania, the Netherlands, the United Kingdom, and the United States. The FBI also collaborated with the U.S. Cybersecurity and Infrastructure Security Agency (CISA), experts from Shadowserver and Zscaler, Microsoft’s Digital Crimes Unit, the National Cyber-Forensics and Training Alliance, and others.

At the time, representatives from the U.S. Department of Justice called this the largest financial and technical blow ever dealt to a botnet’s infrastructure in U.S. history.

What Is QakBot?

QakBot, active since 2008, originally started as a banking trojan but has since evolved into a powerful malware loader. It is capable of deploying additional malicious payloads, stealing confidential information, and enabling lateral movement within networks.

QakBot is typically spread through phishing, especially via email. These emails usually contain malicious attachments or links to download infected files, which then install malware on the victim’s device.

Current Activity: Ransom Knight and Remcos RAT

Recent findings show that QakBot operators are linked to an ongoing phishing campaign, active since early August 2023, distributing the Ransom Knight ransomware (also known as Cyclops) and the Remcos RAT malware.

Cisco Talos experts conclude that “the law enforcement operation did not impact the QakBot operators’ spam delivery infrastructure, but rather only affected their command and control servers.”

So far, there is no evidence that hackers have resumed distributing the QakBot malware loader itself after the Duck Hunt operation and the blow to their infrastructure.

How the Attacks Work

The observed QakBot activity starts with malicious LNK files, which appear to be distributed via phishing emails. When launched, these files infect the victim’s system and deploy the Ransom Knight ransomware (a recent rebranding of the Cyclops RaaS threat).

Sometimes, ZIP archives containing these LNK files also include Excel add-in files (.XLL), which are used to spread the Remcos RAT malware. Remcos RAT gives attackers full backdoor access to the victim’s system.

Targeting and Analysis

Some file names in this campaign are in Italian, suggesting that the attackers are targeting users in that region. By analyzing the metadata of the malicious files, researchers found information about the machines used in the attacks and concluded that the data matches previous QakBot campaigns.

“Although we have not seen criminals distributing QakBot itself after their infrastructure was taken down, we believe this malware will likely continue to pose a significant threat in the future. Since the botnet operators remain active, they could restore QakBot’s infrastructure and fully resume their activities,” the experts warned.