New Qakbot Phishing Campaigns Emerge

In a recent report by Microsoft Threat Intelligence, a resurgence of Qakbot phishing campaigns has been identified, marking a concerning development in the threat landscape. Following a law enforcement disruption operation in August 2023, Microsoft detected a low-volume campaign targeting the hospitality industry, with the first wave initiated on December 11. This blog post sheds light on the key findings from the report and provides insights into the evolving tactics of the notorious Qakbot malware.

Qakbot Phishing Campaign Overview:

The phishing campaign in question involved the distribution of a PDF posing as communication from an IRS employee. Upon closer inspection, the PDF contained a deceptive URL leading to the download of a digitally signed Windows Installer (.msi). The execution of this MSI, in turn, triggered the activation of Qakbot using an “hvsi” execution of an embedded DLL. Notably, the MSI package was signed with the SignerSha1/Thumbprint 50e22aa4b3b145fe1193ebbabed0637fa381fac3, adding a layer of sophistication to the attack.

Microsoft has identified new Qakbot phishing campaigns following the August 2023 law enforcement disruption operation. The campaign began on December 11, was low in volume, and targeted the hospitality industry. Targets received a PDF from a user masquerading as an IRS employee. pic.twitter.com/oYTq9kjrrq
— Microsoft Threat Intelligence (@MsftSecIntel) December 16, 2023

Qakbot phishing Technical Details:

An embedded configuration EPOCH timestamp revealed that the payload was generated on December 11, and the campaign code was identified as “tchk06.” What sets this campaign apart is the use of Qakbot version 0x500, a previously unseen iteration of the malware. Microsoft Defender XDR has been proactive in detecting and thwarting the malicious components and activities associated with these new Qakbot campaigns.

The PDF contained a URL that downloads a digitally signed Windows Installer (.msi). Executing the MSI led to Qakbot being invoked using export “hvsi” execution of an embedded DLL. The MSI package was signed with the SignerSha1/Thumbprint 50e22aa4b3b145fe1193ebbabed0637fa381fac3. pic.twitter.com/7TJvilWow6
— Microsoft Threat Intelligence (@MsftSecIntel) December 16, 2023

Qakbot in the Cyber Threat Landscape:

Qakbot, also known as Qbot or Pinkslipbot, is a modular second-stage malware with multifaceted capabilities. Originally designed as a credential stealer, it has since evolved into a banking trojan, worm, and remote access trojan (RAT). Categorized by CISA as one of the top malware strains of 2021, Qakbot is notorious for its ability to steal sensitive data and self-propagate across networks.

The malware offers remote code execution (RCE) capabilities, enabling attackers to conduct manual attacks for secondary objectives, such as network scanning and injecting ransomware. Qakbot has been utilized by prominent ransomware gangs, including REvil, ProLock, and Lockbit, to distribute big-game hunting ransomware strains.

Qakbot’s Impact Over the Years:

Discovered in 2008, Qakbot has undergone constant updates, with its usage fluctuating in tandem with its update cycle. After significant updates in 2015, Qakbot experienced a resurgence, and in 2020, a novel strain resulted in a staggering 465 percent increase in its year-over-year share of cyberattacks. Notably, in 2021, Qakbot played a role in the high-profile cyber-breach of JBS, disrupting meat production facilities and leading to an $11 million ransom payment.