Even after the FBI’s intervention against the Qakbot threat group’s network in late August, certain affiliates of the group persistently launched ransomware via phishing campaigns, as informed by Cisco Talos.

Researchers at Talos uncovered new findings suggesting an actor associated with the Qakbot malware loader, also identified as QBot or Pinkslipbot, initiated a campaign around early August 2023. This campaign involved disseminating the Ransom Knight ransomware and the Remcos backdoor through phishing messages.

Cisco divulged this fresh analysis in an article on the Talos Intelligence website dated October 5, 2023.

Qakbot’s Primary Servers Affected by the FBI Action Based on the new campaign’s LNK files’ metadata, Talos links it to Qakbot affiliates, stating it mirrors the metadata from devices deployed in earlier Qakbot initiatives.

This recent evaluation reveals that Operation Duck Hunt, the code-named law enforcement effort, possibly influenced only the Qakbot group’s command and control (C2) servers, leaving their spam distribution network untouched.

Such a conclusion aligns with insights shared by multiple specialists in the field with Infosecurity in the early days of September, shortly after the joint FBI and international law enforcement maneuver.

Yelisey Bohuslavskiy from Red Sense, a threat prevention enterprise, clarified that while Operation Duck Hunt addressed the infrastructure linked to the QakBot loader, it might not have extended to the core of QakBot Trojan.

Elaborating further, Bohuslavskiy mentioned, “QBot initially emerged as a trojan malware but eventually evolved into a loader-as-a-service (LaaS). Observing the ‘Duck Hunt’ procedure suggests that the QBot segment neutralized was more the QB-crimeware than its ransomware/LaaS facet.”

Echoing similar thoughts, Alex Holland, an expert malware analyst at HP Wolf Security, communicated, “QakBot’s full disappearance in the near future seems improbable.”

Delve deeper: Did FBI’s Qakbot Action Truly Neutralize the Threat or Merely Offer a Brief Halt?

Understanding Qakbot Since 2008, Qakbot, a versatile banking trojan, has been operational. It primarily targets victims’ financial details, capturing browser activity, keystrokes, and login data. Moreover, Qakbot is proficient in disseminating varied malware, including ransomware.

Holland noted, “Around the end of 2020, as ransomware activity amplified, QBot’s loader functionality became more pronounced, catapulting it to a dominant spot in the botnet domain, aligning its interests with entities like REvil, Conti, among others. Nonetheless, its core trojan operations continued.”

In the concluding days of August 2023, a global law enforcement endeavor spearheaded by the FBI aimed to neutralize QakBot. This initiative granted them access to QakBot’s central systems, enabling a comprehensive mapping of the server network utilized by the botnet.

Following this, the FBI took control of 52 servers, asserting it would conclusively terminate the botnet, and rerouted QakBot’s online traffic to FBI-regulated servers, directing affected users to procure a removal tool.

The US Department of Justice (DoJ) reported identifying in excess of 700,000 compromised computers globally, of which over 200,000 were within US borders.

Furthermore, the DoJ proclaimed the confiscation of cryptocurrency assets amounting to over $8.6m linked to the QakBot digital malefactors. This sum is slated for restitution to the affected parties.