It is always encouraging to see a WIN for the for the white hats. On August 29, 2023 the US Department of Justice announced the success of a multinational operation to disrupt the malware and botnet activity associated with Qakbot. While remote access trojans continue to be the highest volume of malware attacks we capture, Qakbot/Qbot has been one of the most destructive and convincing email attacks we see targeting users. Let us take a look at two examples of recent activity which highlights their tactics. 

Qakbot/Qbot affiliates were observed just prior to takedown sending campaigns in response to previously stolen emails with a pdf attached. Replying to scraped conversations or conversation hijacking (CHA) was a favorite technique seen with Qakbot distribution. The affiliate in this example uses the tag (identifier) of BB28 and has geofenced infections to just the United States. The pdf attachment links to a zip file containing an executable (u.]exe) & dynamic link library (i.]dll) file within. Once the executable is run it uses curl to side load the l.]dll for infecting the system.

Another Qakbot campaign looked a little different. This campaign was also sent using replies to previously scraped emails. These had no attachment but instead included a URL in the message body which linked directly to a JavaScript file download. Once clicked the infection process begins by leveraging LotL Phishing tactics. Interestingly, a recent sample with a matching URL pattern (to the example below) was noticed by other researchers reaching out to U.S. DoD IP’s. 

Even though the disruption of Qakbot is a significant effort deserving of applause all around, we always see threat actors like these pop back up after taking time to re-group. Emotet, for example was down for about three months before making their return and we expect Qakbot will not be much different.