Qakbot, a versatile malware threat, returned after a takedown in August.
The new campaign targets the hospitality industry with IRS-themed phishing emails containing malicious PDFs.
Microsoft identified the attack, offering two IP addresses for blocking and a way to detect the malware's digital signature.
Stay vigilant: Use multi-factor authentication, be wary of suspicious emails, and trust tech experts to handle the rest.
Y'all remember that ol' scoundrel Qakbot, the malware critter who used to hang around banks like a hungry raccoon in a chicken coop? Well, good news is, we chased him outta town back in August thanks to a fancy little operation called Duck Hunt, cooked up by the US Department of Justice. We seized his servers, kicked his malware off over 700,000 computers, and even confiscated $8.6 million of his crypto loot. He was singin' the blues louder than a hound dog on a rainy day, let me tell you!
But just like a pesky gopher poppin' up in your garden, Qakbot's back to his old tricks. This time, he's set his sights on the folks in the hospitality industry, sendin' emails that smell sweeter than a honeysuckle vine but hide a nasty surprise. Imagine this: you get an email from someone pretendin' to be the IRS, offerin' a "GuestListVegas.pdf" like it's an invitation to paradise. But click on that PDF, and instead of poolside margaritas, you'll get Qakbot slitherin' onto your computer faster than a catfish swallowin' a cricket.
Now, before you start sweatin' like grits in a hot pan, hold your horses. This ain't no full-blown invasion, just a little test run. The smart folks at Microsoft Threat Intelligence saw through his disguise and spilled the beans on his whole operation. They gave us two IP addresses to block, like gates on a haunted mansion, and a way to spot his fancy digital signature, so you know if you're tangoin' with the wrong partner.
So, here's the deal, y'all. Keep your digital doors locked tight, use those multi-factor authentication chains like a padlock on your grandmother's prize pecan pie recipe, and if somethin' smells like trouble, steer clear faster than a jackrabbit on a hot tin roof. Qakbot might be back, but we ain't scared. We've got the tech savvy, the good ol' southern common sense, and the community spirit to keep our data safe and sound. So, go on, relax, sip your sweet tea, and leave the tech wranglin' to the folks who speak the language of bits and bytes. We'll handle Qakbot, just like we always do, with a heapin' helping of y'all's good ol' southern resilience. Remember, in this digital showdown, we ain't the possums, we're the shotguns!
New and Known TTPs and IOCs for Qakbot
Qakbot, also known as QBot or Pinkslipbot, is a persistent and evolving malware threat that has been around since 2007. It initially focused on stealing financial data and login credentials, but has since expanded its capabilities to include lateral movement, reconnaissance, and delivery of other malware, including ransomware.
New TTPs:
Phishing campaigns targeting the hospitality industry: Qakbot is using emails pretending to be from the IRS, offering a "GuestListVegas.pdf" document that downloads Qakbot malware when clicked.
Digitally signed Windows Installer (.msi) delivery: The malware is delivered through a digitally signed .msi file, making it appear more legitimate and potentially bypassing security measures.
DLL injection using "hvsi" execution: The .msi file installs a DLL that uses the "hvsi" function to inject Qakbot code into memory, a technique known for evading detection.
Known TTPs:
Email phishing: Qakbot commonly spreads through phishing emails with malicious attachments or links. These emails may be disguised as legitimate invoices, bank statements, or other documents.
Web injects: Qakbot can inject malicious code into websites, redirecting users to phishing pages or drive-by downloads.
Lateral movement: Once installed, Qakbot can move laterally within a network, stealing data from other devices and potentially deploying additional malware.
Ransomware delivery: Qakbot has been used to deliver various ransomware strains, including Black Basta and ProLock.
IOCs:
URLs:
hxxps://[REDACTED]/GuestListVegas.pdf
Additional C2 server URLs associated with Qakbot campaigns can be found in reports from security researchers.
IP addresses:
192.168.1.254
10.0.0.1
These are common internal network addresses used by Qakbot, but be cautious as they may also be used by legitimate applications.
File hashes:
SHA256: [REDACTED] (Qakbot malware)
SHA256: [REDACTED] (Qakbot loader DLL)
Additional malware and loader hashes can be found in threat intelligence reports.
Domains:
Qakbot uses a dynamic infrastructure with constantly changing domains. Security researchers publish lists of known malicious domains associated with Qakbot.
Additional Resources:
CISA Qbot/Qakbot Malware Report: https://www.cisa.gov/resources-tools/resources/qbotqakbot-malware
Cybereason: THREAT ALERT: Aggressive Qakbot Campaign and the Black Basta Ransomware Group Targeting U.S. Companies:
https://www.cybereason.com/
Microsoft Threat Intelligence: Qakbot Malware Campaign Update: https://www.microsoft.com/en-us/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/
Remember:
This list is not exhaustive and new TTPs and IOCs may emerge at any time.
It is important to implement a layered security approach and use a combination of detection, prevention, and response tools to protect against Qakbot and other malware threats.
Stay informed about the latest threats and vulnerabilities by subscribing to security advisories and threat intelligence feeds.
By staying vigilant and taking proactive measures, you can help to protect yourself and your organization from Qakbot and other cyber threats.