QakBot has seen a new wave of phishing messages delivering malware, more than three months after a law enforcement effort infiltrated its command-and-control (C2) network and destroyed its infrastructure.
Microsoft, which made the discovery, described it as a low-volume campaign that began on December 11, 2023, and targeted the hospitality industry.
“Target received a PDF from a user identified as an IRS employee,” the tech giant said in a series of posts shared on X (formerly Twitter).
“The PDF contains a URL that downloads a digitally signed Windows Installer (.msi). Executing the MSI exported the embedded DLL using the ‘hvsi’ executable invoked by Qakbot.”
Microsoft said the payload was prepared the same day the campaign began and is configured with a previously unseen version 0x500.
QakBot, also called QBot and Pinkslipbot, was disrupted as part of a coordinated effort called Operation Duck Hunt after the authorities managed to gain access to its infrastructure and instructed the infected computers to download an uninstaller file to render the malware ineffective.
Traditionally distributed via spam email messages containing malicious attachments or hyperlinks, QakBot is capable of collecting sensitive information as well as distributing additional malware, including ransomware.
In October 2023, Cisco Talos revealed that QakBot affiliates were leveraging phishing lures to deliver a mix of ransomware, remote access trojans, and stealth malware.
The return of QakBot mirrors the return of Emotet, which resurfaced in late 2021 months after being destroyed by law enforcement and remains a persistent threat, albeit at a lower level.
While it remains to be seen whether the malware will return to its former glory, the resiliency of such botnets underscores the need for organizations to avoid falling victim to the spam emails used in the Emotet and Qakbot campaigns.