The collective of Qakbot ransomware gang members is still actively spreading malware, Cisco Talos researchers note. This is despite their network having been targeted and supposedly destroyed by the FBI.
In August of this year, the FBI managed to dismantle the infrastructure of the ransomware spreaders of the Qakbot botnet with “Operation Duck Hunt”. The action managed to disrupt the hacker gang’s activities significantly and allowed thousands of malware-infected devices to recover.
However, Cisco Talos researchers have discovered that the hackers behind Qakbot are unfortunately still very much active. The hackers had just launched a new ransomware campaign right before dismantling their infrastructure network, which is still ongoing.
The FBI’s action is said to have only affected the ransomware spreaders’ C&C server infrastructure, but not their capabilities for sending phishing mail. Through such emails, a variant of the Cyclops/Ransom Knight ransomware is being distributed, as well as the so-called Remcos backdoor malware.
LNK files from the same machine
Cisco Talos researchers detected the continued spread of the ransomware and malware by comparing metadata of LNK files from the new campaign with those from previous Qakbot campaigns.
For example, it was discovered that new rogue LNK files were created on the same machine as the earlier files. Then, an examination of the payload revealed that these used a command line and a network share that served as a variant of the Ransom Knight ransomware.
Combination between backdoor and ransomware
The newly discovered ongoing campaign primarily targets financial data and is conducted via phishing mails. The mails often also contain a ZIP file with an XLL extension for Excel. This installs the backdoor Remcos. The backdoor is often used in conjunction with the Ransom Knight ransomware to gain access to devices and then target further malicious attacks.
Also read: Hackers figure out your computer’s location via malware Whiffy Recon
20 hours ago
