In a not-so-unexpected turn of events, Qakbot is back. Just a short time after the August takedown of the notorious group, researches have found that these threat-actors are still active. In fact, they may have never actually been inactive, as an attack campaign that was active DURING the takedown, is still active.
The current campaign involves two primary pieces of malware:
- Ransom Knight – a Ransomware as a Service malware being delivered via .lnk files that are set to download this malware upon execution.
- Remcos backdoor – a remote access trojan allowing persistent access for further attacks even after ransomware has been deployed.
As always, the best defense against Qakbot attacks is education. Qakbot is primarily delivered via email attachments, and users should be made aware of this and educated on how to handle these emails. Additionally, Qakbot is exceptionally evasive and persistent. Any indication that it may have been unleashed on your network requires prompt, diligent and thorough threat-hunting and eradication.
For more more information on Qakbot’s Halloween-appropriate undead act see this article: https://www.darkreading.com/attacks-breaches/qakbot-infections-continue-even-after-high-profile-raid
