QakBot Comeback – Is It Real?

On December 16, 2023, the Microsoft Threat Intelligence team shared part of their observations on X. It appears that a new email spam campaign, started on December 11, spreads a good-old QakBot. Hackers disguised the message as a notification from the IRS employee and attached a PDF file to it. The quality of a spam email inspires confidence, so victims gladly move on to the further stages of a scam.

The attached PDF is, in fact, a point of malware injection. Instead of an expected document, the victim sees a page that reports a preview error and asks to download and install Adobe Acrobat. The link offered for downloading Acrobat leads to the downloading page that shares a signed .msi file. This file, as you could already have guessed, is a malware body.

Trivia uncovered by Microsoft researchers say clearly that it is not a reuse of an old QakBot sample, but a completely new generation. Both the campaign name, version number and the timestamp on the sample point at the fact that it is all about a new round of QakBot.

What is QakBot?

For over a decade, QakBot a.k.a QBot remained a severe hazard for both single users and companies. Emerged in 2007, it was originally categorized as a worm/banking trojan. With time though it received extensive updates that made it more capable in the initial purpose, and added some new features. The one in particular – loader functionality – is what dramatically changed this malware’s future.

Ever since it gained the ability to deliver payloads, QakBot has become a beloved tool for initial access and malware delivery in numerous attacks. Its use in the attacks of Russian state-sponsored hackers also explains its sustainability and impertinence. But all streaks are made to be broken – and the FBI have shown exactly this in late August 2023. By taking down the entire botnet, except for Tier 1 C2 servers, law enforcement jammed the QBot activity for 4 months. Until now, it seems.

How to protect against QakBot?

As I’ve shown above, the main way this malware spreads through is email spam. It was the main option before the takedown and remains up to date. There is tons of advice on avoiding malicious emails, but let me share a couple of specific ones for targeted spam the QakBot usually uses.

Avoid files you have not expected to receive. The main thing hackers rely on is people’s lack of attention to detail. Do you expect someone from the IRS to contact you with the “client’s information”? Are you waiting for a colleague to send you a strange table from the wrong email address? Question yourself each time you face something like this – and the chances of infection will go down dramatically.

Never interact with contents of unknown files. This is the continuation of a previous advice, though it works with files from any source. MS Office files that offer to allow macros, PDFs with links that lead to malware downloading – there are plenty of options. When you are not sure whether the file is benign or not, avoid clicking any interactive content – both in it and related to it.

Employ email protection solutions. Extensive use of email messages for malware spreading gave birth to an entire class of security solutions, that specialize in securing email inboxes. By scanning the message properties, attachments, or even text body, they conclude and say whether it is safe to work with the file.

Use reliable anti-malware software. This solution is reactive, contrary to the proactive ones I’ve named above, though should still serve as a goalkeeper. When all other systems fail, something should protect you. QakBot is not magical, so a well-done anti-malware engine should detect it right away. Be sure that GridinSoft Anti-Malware is the one you can rely on in this task.

The post QakBot is Back With a New Email Spam Campaign appeared first on Gridinsoft Blog.

Is Pikabot A New QakBot?

In its report, Cofense said that DarkGate and Pikabot’s tactics and methods are similar to previous QakBot (aka Qbot) campaigns. That is, it seems that Qbot operators simply switched to using new botnets and malware. Researchers write that QBot was one of the largest botnets. The spread of QBot was associated with email, and DarkGate and Pikabot are modular malware downloaders that have the same functions as QBot.

Similarly to QBot, hackers use the new downloaders to gain initial access to victims’ networks. Then they carry out ransomware attacks, espionage and data theft. Interestingly, some cybersecurity experts predicted the possible return of malware.

Features of the phishing campaign of the QBot heirs

According to Cofense, this summer the number of malicious emails spreading DarkGate increased significantly. In October 2023, attackers switched to using Pikabot as their main payload. These phishing attacks begin with emails that appear to be a reply or forward related to a previously stolen discussion. This makes it more likely that recipients will view the message with more confidence.

Users who click on a URL from such an email go through a series of checks and are then prompted to download a ZIP archive. This archive contains a dropper that retrieves the final payload from a remote source.

The researchers note that the attackers experimented with several droppers to determine which one worked best, including:

• JavaScript dropper for loading and executing PE or DLL;
• Excel-DNA loader, based on an open-source project used to create XLL files. In this case it is used to download and run malware;
• VBS loaders, which can execute malware via .vbs files in Microsoft Office documents or launch command line executables;
• LNK downloaders, which use .lnk files to download and execute malware.

The final payload used in these attacks until September 2023 was DarkGate, which was replaced by PikaBot in October 2023.

How dangerous are DarkGate and PikaBot?

DarkGate is a modular malware that supports various types of malicious behavior. Its first appearance happened back in 2017, but it became available to masses only in the summer of 2023. This, eventually, ended up with a sharp increase in its distribution. Among key feautures, DarkGate boasts hVNC remote access, cryptocurrency mining and reverse shell creation. It allows for keylogging, stealing data from an infected machine.

In turn, PikaBot is a newer malware that first appeared in early 2023 and consists of a loader and a main module, with mechanisms to protect against debugging, VMs, and emulations. On the infected machine, it creates a system profile and sends the collected data to the control server, awaiting further instructions. In response, the server sends commands to load and execute modules in the form of DLL or PE files, shellcode or command line commands. All this makes PikaBot a universal tool.

What is QakBot notorious for?

QakBot, active since 2008, was originally a banking Trojan. But it has evolved over time into a powerful malware downloader capable of deploying additional payloads, stealing information, and enabling lateral movement. Qbot’s malicious campaigns are most likely linked to Russian hackers and they are constantly improving their malware distribution methods.

In 2020 the Qbot Trojan first entered the list of the most widespread malware in the world. And since then, the malware had continiously hit the newsletters for the next 3 years. Among its most noticeable attack vectors is the adoption of 0-day vulnerability in Windows MSDT called Follina.

However, the FBI, in collaboration with a number of international law enforcement organizations, conducted Operation Duck Hunt, which resulted in the destruction of the QBot (QakBot) infrastructure in August 2023.

The FBI managed to penetrate the lair of a cybercriminal group and take possession of the computer of one of its leaders. After this through the gaming platform of QBot FBI sent out a botnet destruction program to the affected devices. After which the malware was removed from more than 700 thousand infected devices around the world. But, as we see, the legacy of the botnet QBot lives on.

The post DarkGate and Pikabot Copy the QakBot Malware appeared first on Gridinsoft Blog.

US and UK Authorities Uncover 11 More Russian Hackers Related to Conti And TrickBot

Notice regarding joint operations between American and British authorities appeared on several sites simultaneously. As in the previous case of sanctions towards russian hackers, US Treasury and UK National Crime Agency released statements regarding it. They successfully managed to uncover the personalities of 11 individuals that are related to the Trickbot/Conti cybercriminal gang.

Authorities have found and proven the relation of the accused individuals to attacks on UK and US government and educational organisations, hospitals and companies. This in total led to a net loss of £27 million in the UK only, and over $800 million around the world. Despite the formal Conti group dissolution in June 2022, members remained active under the rule of other cybercriminal groups.

Authorities Published Hackers’ Personal Data

What may be the best revenge to someone fond of compromising identities than compromising their own identity? Authorities involved in the investigation and judgement probably think the same, as they have published detailed information about each of 11 sanctioned hackers.

What is the Conti/TrickBot group?

As cybercrime gangs are commonly named by their “mainstream” malware, the Conti gang was mostly known for their eponymous ransomware. But obviously, that was not the only payload they were using in their attacks. Throughout its lifetime, Conti was working with, or even directly using several stealer families. Among them is an infamous QakBot, whose botnet was hacked and dismantled at the edge of summer 2023, and TrickBot. They were mostly known as stand-alone names, besides being actively used in collaboration with different ransomware gangs, including Conti.

QakBot is an old-timer of the malware scene. Emerged in 2007 as Pinkslipbot, it quickly became successful as infostealer malware. With time, it was updated with new capabilities, particularly ones that make it possible to use it as an initial access tool/malware delivery utility. This predetermined the fate of this malware – it is now more known as a loader, than a stealer or spyware. Although it may be appropriate to speak of QBot in the past tense, as its fate after the recent botnet shutdown is unclear.

Trickbot’s story is not much different. The only thing in difference is its appearance date – it was first noticed in 2016. Rest of the story repeats – once an infostealer, then a modular malware that can serve as initial access tool and loader. Some cybercriminals who stand after Trickbot were already sanctioned – actually, they are the first sanctioned hackers ever.

Are sanctions seriously threatening hackers?

Actually, not much. Sanctions are not a detainment, thus the only thing they lose is property in the US and the UK. Though, I highly doubt that any of those 11 guys had any valuable property kept in the countries they were involved in attacks on. All this action is mostly a message to other hackers – “you are not as anonymous as you think you are, and not impunable.”. The very next step there may be their arrest – upon the fact of their arrival to the US/UK, or countries that assist them in questions of cybercrime investigation. But once again – I doubt they’re reckless enough to show up in the country where each police station has their mugshot pinned to the wanted deck.

The post NCA and DoJ Introduce New Sanctions Against Conti/Trickbot Hackers appeared first on Gridinsoft Blog.

The United States and its allies dismantled the Qakbot financial fraud network

Last week, the United States, the United Kingdom, Germany, Latvia, the Netherlands, Romania, and France conducted a joint operation to dismantle the Qakbot hacker network. First appearing more than a decade ago, Qakbot typically spread through infected emails sent to potential victims under the guise of trusted messages. Cybersecurity researchers have suggested that Qakbot’s origins refer to Russia. This network of attackers has attacked various organizations worldwide, from Germany to Argentina, causing significant losses. U.S. Attorney Martin Estrada emphasized that this operation to expose and disrupt Qakbot’s “Duck Hunt” activities is the most extensive in the history of the fight against botnets.

A colossal catch

So, specialists call Operation “Duck Hunt” a significant victory in the fight against cybercrime, and that’s obvious. As part of an international operation, FBI officials dismantled the Qakbot botnet that infected over 700,000 compromised computers worldwide, of which more than 200,000 were in the United States. Although authorities distributed a removal tool to the endpoints that removed Qakbot from system memory, this did not neutralize other malware that may have been present on the system. According to investigators, between October 2021 and April 2023, Qakbot administrators received approximately $58 million in ransom paid by victims. According to CertiK, criminals could steal about $45 million worth of cryptocurrency during August this year. And in total, users have lost $997 million in fraudulent schemes since the beginning of the year. Law enforcers seized more than $8.6 million in bitcoins.

A few words about Qakbot

Qakbot is a malicious program that belongs to the TrickBot family of Trojans. Its functionality is similar to a Swiss Army knife. It was first discovered in 2008, and since then, cybercriminals have actively used it to steal data and spread other malicious programs. It is the most frequently detected malware, with 11% of corporate networks worldwide affected in the first half of 2023. The victims ranged from financial institutions on the East Coast to a critical infrastructure government contractor in the Midwest to a medical device manufacturer on the West Coast. It also served as a platform for ransomware operators. Once infected, the victim’s computer became part of a giant Qakbot botnet, infecting even more victims. Qakbot can spread through various channels, including email, malicious links, and infected files. We have an entire article dedicated to this malware.

QakBot May Resurface Soon, Analysts Concern

Experts of cyber threat intelligence operations warned that the recent takedown of Qakbot may only provide short-term relief in the fight against cybercrime. Many cybercrime service providers operate from Russia, which doesn’t extradite its citizens, making it difficult to reach them. However, now Qakbot appears to be on a forced sabbatical. Nevertheless, cybercriminals may tweak their code to make it more challenging to disrupt in the future. The situation now resembles the events with Emotet, which, after severe destruction in 2021, was never able to regain its former position.

Despite obvious parallels to Emotet’s case, it is important to notice the difference between the two. Spreading methods applied by Emotet differ from ones used by Qakbot. The latter used email spamming only as a part of lateral movement, with the application of compromised email accounts. Moreover, QBot is backed by a team of highly-professional crimes, while Emotet apparently lost its dream team in the 2021’s detention. Conti’s Team 3, now known as Black Basta, ran Qakbot operations alongside the Clop ransomware group. Team 3 has been inactive since June, but once they resurface, they could pose a potent threat.

How to protect yourself against malware?

Protecting yourself against malware is essential to safeguard your personal information, data, and online security. Here are some fundamental steps to help you stay protected:

• Beware of Fake Websites. You should be cautious when visiting websites, especially when entering sensitive information. Ensure you’re on secured websites (look for HTTPS in the URL).
• Exercise Caution with Email and Links. Be cautious when opening email attachments and clicking links, especially in emails from unknown or suspicious sources. Malware often spreads through phishing emails. Be skeptical of pop-up ads and unexpected download prompts. Verify the legitimacy of requests before taking action.
• Download Software from Official Sources. Only download software and apps from reputable sources, e.g., the official website or app store (If it’s Android or iOS). Avoid downloading cracked or pirated software from torrents, often bundled with malware.
• Keep Software Updated. You may find Windows updates annoying, but it is essential. Regularly update your operating system, web browsers, and all installed software. Many malware attacks exploit known vulnerabilities that are patched through updates.
• Use Strong Passwords. A strong password is the first line of defense. Create strong, unique passwords for your accounts, and change them regularly. Consider using a password manager to generate and store complex passwords securely.
• Enable Multi-Factor Authentication (MFA). Whenever possible, enable MFA for your online accounts. This is the second line of defense, which will stop the intruder if the first line is passed. MFA adds an extra layer of security by requiring additional verification beyond a password.
• Use Reputable Anti-Malware Software. We recommend installing and regularly updating reputable anti-malware software on your devices. This point complements all previous topics and minimizes all risks as much as possible. These tools can detect and remove malware infections.

The post QakBot Botnet Dismantled, But Can It Return? appeared first on Gridinsoft Blog.

Qakbot has been known to deploy multiple types of malware, trojans, and highly destructive ransomware variants. They also used their affiliates or operators, which include Conti, ProLock, Egregor, REvil, RansomExx, MegaCortex, and most recently, Black Basta. It targets the United States and other global infrastructures, including the Election Infrastructure Subsector, Financial Services, Emergency Services, and Commercial Facilities Sectors.

How has the Qakbot botnet been detected?

The FBI found a number of files related to the operation of the Qakbot botnet on a computer used by one of its administrators. These files included chats between the Qakbot administrators and co-conspirators. Also a directory containing several files that held information related to virtual currency wallets, according to court documents, that included a computer used by one of its admins after it had infected over 700,000 computers, with over 200,000 in the United States.

While searching through the same computer, a separate file called 'payments.txt' was discovered. It contained a list of individuals who had fallen victim to ransomware. It also included information about the ransomware group, details about their computer systems, dates of the attacks, and the amount of BTC paid to the Qakbot administrators in connection with the attacks.

The agency redirected Qakbot traffic to its servers, giving the FBI the access they needed to remove the malware from compromised devices worldwide. This prevented the deployment of any additional malicious payloads.

Victims were not informed when the uninstaller was executed to remove the malware from their systems. Still, the FBI contacted them using IP addresses and routing information collected from their computers during removal.

Recommendations

Organizations must implement the recommendations provided in the joint CSA by CISA and FBI. This will help to lower the risk of QakBot-related activity and make it easier to detect QakBot-facilitated ransomware and malware infections. If you come across any incidents or anomalous activity, please feel free to contact any of the following organizations without any delay:

• CISA, either through the agency’s online tool (cisa.gov/report) or the 24/7 Operations Center or (888) 282-0870.
• FBI via a local field office.

How to prevent botnet attacks?

Using anti-malware software is an important measure to protect your computer from online threats. Cybercriminals can use malware to steal your private information, monitor your online activity, or take over your computer and use it as a botnet. However, dependable anti-malware software can detect and remove malware before it can harm your system. To be proactive in safeguarding your computer, it’s need to regularly update your anti-malware software and carry out full system scans. It’s also crucial to keep your operating system and other software up to date, as software updates often provide security patches that address known vulnerabilities.

The post Qakbot Botnet Hacked, Removed from Over 700,000 Machines appeared first on Gridinsoft Blog.