Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
thnThe Hacker NewsTHN:C3285DE6EF315CEDE8B5B9C5E945F6CA
HistoryDec 18, 2023 - 9:29 a.m.

QakBot Malware Resurfaces with New Tactics, Targeting the Hospitality Industry

2023-12-1809:29:00
The Hacker News
thehackernews.com
12
qakbot malware
phishing campaign
hospitality industry
microsoft discovery
windows installer
zscaler threatlabz
aes encryption
ransomware
remote access trojans

7.2 High

AI Score

Confidence

Low

JSON

QakBot Malware

A new wave of phishing messages distributing the QakBot malware has been observed, more than three months after a law enforcement effort saw its infrastructure dismantled by infiltrating its command-and-control (C2) network.

Microsoft, which made the discovery, described it as a low-volume campaign that began on December 11, 2023, and targeted the hospitality industry.

“Targets received a PDF from a user masquerading as an IRS employee,” the tech giant said in a series of posts shared on X (formerly Twitter).

“The PDF contained a URL that downloads a digitally signed Windows Installer (.msi). Executing the MSI led to Qakbot being invoked using export ‘hvsi’ execution of an embedded DLL.”

UPCOMING WEBINAR [

Beat AI-Powered Threats with Zero Trust - Webinar for Security Professionals

](<https://thehacker.news/zero-trust-attack-surface?source=inside&gt;)

Traditional security measures won’t cut it in today’s world. It’s time for Zero Trust Security. Secure your data like never before.

Join Now

Microsoft said that the payload was generated the same day the campaign started and that it’s configured with the previously unseen version 0x500.

Zscaler ThreatLabz, in a post shared on X, described the resurfaced QakBot as a 64-bit binary that utilizes AES for network encryption and sends POST requests to the path /teorema505.

QakBot, also called QBot and Pinkslipbot, was disrupted as part of a coordinated effort called Operation Duck Hunt after the authorities managed to gain access to its infrastructure and instructed the infected computers to download an uninstaller file to render the malware ineffective.

QakBot Malware

Traditionally distributed via spam email messages containing malicious attachments or hyperlinks, QakBot is capable of harvesting sensitive information as well as delivering additional malware, including ransomware.

In October 2023, Cisco Talos revealed that QakBot affiliates were leveraging phishing lures to deliver a mix of ransomware, remote access trojans, and stealer malware.

Cybersecurity

The return of QakBot mirrors that of Emotet, which also resurfaced in late 2021 months after it was dismantled by law enforcement and has remained an enduring threat, albeit at a lower level.

While it remains to be seen if the malware will return to its former glory, the resilience of such botnets underscores the need for organizations to avoid falling victim to spam emails used in Emotet and QakBot campaigns.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

7.2 High

AI Score

Confidence

Low

JSON