2 min Security

Qakbot malware returns with phishing attack on hospitality industry

Qakbot malware returns with phishing attack on hospitality industry

The infamous Qakbot malware has made a return. Microsoft Threat Intelligence warns of new phishing emails purporting to be from the U.S. Internal Revenue Service (IRS).

In late August, international police units announced they had eliminated the giant Qakbot botnet during “Operation Duck Hunt.” Its malware had spread to 700,000 computers in just the 12 months preceding the operation. Eventually, the FBI was able to obtain an admin account to control the botnet. With that, the agency sent a DLL to the entire bot army, causing the malware to self-destruct.

Tip: Qakbot still a threat despite its supposed destruction

Now, it appears that Qakbot (Qbot) hopes to start all over in pursuit of a new botnet with a slightly modified version, 0x500. Microsoft Threat Intelligence reveals that a modified PDF file contains a Windows Installer for the new Qbot variant. The fake IRS email was sent to several hospitality companies on Dec. 11. Only a few tweaks were allegedly added to the software.

It was already known that the Qakbot infrastructure was not wholly disabled. The cybercriminals behind the malware can still send emails en masse. Now, there is a concrete example of this.

A small-scale campaign (for now)

For now, according to the Microsoft team, Qakbot’s new efforts only represent a small campaign. Security researchers at Proofpoint Pim Trouerbach and Tommy Madjar confirm that they, too, have once again caught wind of Qakbot. Trouerbach says “it sucks”, but refers to an earlier piece of malware that tried to return after long success. Emotet, described by Europol as the world’s “most dangerous malware,” was taken down in early 2021 by roughly the same international coalition that wiped out Qakbot and other cyber threats in recent years. Trouerbach stressed that a recovery attempt by Emotet in late 2021 met with little success.

Qakbot has a particularly long history. It originated in 2008 and initially targeted the financial sector, aiming to capture banking data and website cookies. Gradually, it developed into a botnet that granted other cybercriminals initial access to install ransomware on victims’ machines themselves, for instance. It’s a notorious example of the commercialization that has occurred within cybercrime, in which malware like Qakbot merely acts as a middle man for other malicious parties. Qakbot’s previously impressive infrastructure made it a very attractive tool for notorious groups like Conti, ProLock and Black Basta.