The cybercriminals behind the Qakbot malware have been observed distributing ransomware and backdoors following the recent infrastructure takedown attempt by law enforcement, according to Cisco’s Talos research and threat intelligence group.
In late August, authorities in the United States and Europe announced the results of an international operation whose goal was the disruption of the notorious Qakbot botnet, aka Qbot and Pinkslipbot.
The law enforcement operation involved the takeover of Qakbot infrastructure, the seizure of millions of dollars worth of cryptocurrency, and the distribution of a utility designed to automatically remove the malware from infected devices.
Talos has been monitoring Qakbot-related activities and on Thursday pointed out that a campaign launched by cybercriminals in early August has continued even after the law enforcement operation was announced.
As part of this campaign, the hackers have delivered Ransom Knight ransomware and the Remcos backdoor using phishing emails. This suggests, according to Talos, that the law enforcement operation impacted only Qakbot command and control (C&C) servers, without affecting spam delivery infrastructure.
The campaign delivering Ransom Knight and Remcos malware appears to be the work of Qakbot affiliates known for a previous operation named ‘AA’, which ran in 2021 and 2022.
“We assess Qakbot will likely continue to pose a significant threat moving forward. Given the operators remain active, they may choose to rebuild Qakbot infrastructure to fully resume their pre-takedown activity,” Talos said.
SecurityWeek has also heard from others who have seen signs that the Qakbot infrastructure is being rebuilt, with cybercriminals moving to distribute new malware.
Qakbot, primarily delivered through spam emails, has been used to gain initial access to systems, to which cybercriminals could then distribute ransomware and other malware.
When they announced the takedown attempt, US authorities said they had gained access to Qakbot infrastructure and identified more than 700,000 infected computers worldwide. The FBI redirected Qakbot traffic through servers controlled by the agency, instructing infected devices to download the malware uninstaller.