The Qakbot banking Trojan, which was recently dismantled in a multinational cybercrime takedown, still poses a threat to users as the people behind it continue to be active, according to researchers. Cisco’s Talos threat intelligence group released a report stating that the creators and operators of Qakbot are currently working on a new campaign, this time distributing a variant of the Knight malware.
The Talos team has stated that they have “moderate confidence” in their findings, based on their analysis of drive serial numbers in LNK (Windows shortcut) file metadata from computers associated with previous Qakbot attacks. Despite the Qakbot actors’ attempts to clean metadata from the specific files, Talos was able to identify one machine linked to these attacks.
The researchers have observed that some of the filenames associated with the new campaign are written in Italian, suggesting that the threat actors may be targeting users in that region. The LNK files themselves are being distributed within zip archives along with an XLL file.
The XLL files, which are related to Microsoft Excel, have a similar appearance to regular .xls files in an Explorer window. If these XLL files are opened, they install the Remcos backdoor, which is a remote administration tool that works alongside the Knight malware to gain access to targeted systems.
While the Qakbot actors are unlikely to be the masterminds behind the Knight ransomware service itself, they are most likely customers of this service. The recent enforcement action that took down Qakbot’s command-and-control servers likely did not impact the group’s phishing infrastructure, allowing them to potentially rebuild their back-end systems and make a resurgence.
It is important for users to remain cautious and take necessary precautions to protect themselves from these threats. This includes being vigilant while opening email attachments and visiting websites, as well as ensuring that their systems have the latest security updates and patches installed.
Law enforcement agencies and cybersecurity experts continue to monitor the activities of the Qakbot actors and are working towards dismantling their operations completely. However, it is a constant battle as cybercriminals adapt and evolve their tactics to continue posing a threat to individuals and organizations.
It is crucial for individuals and businesses to stay informed about the latest cybersecurity threats and best practices to mitigate the risks associated with them. By staying educated and implementing proactive security measures, users can better protect themselves from the ever-growing cyber threat landscape.