Qakbot hackers now pushing Cyclops/Ransom Knight ransomware, Cisco says

/in


The hackers behind the Qakbot malware have shifted their focus to distributing ransomware, according to security researchers.

The report comes just weeks after law enforcement agencies in the U.S., France, Germany, the Netherlands, the United Kingdom, Romania, and Latvia joined forces to take down Qakbot — one of the most prolific and longest-running botnets.

The agencies not only shut down Qakbot’s computer infrastructure but also proactively removed the malware from infected devices.

On Thursday, researchers from Cisco Talos said that even though the Qakbot malware infrastructure was dismantled, the hackers behind it have been able to keep their distribution tools intact, now using them to spread variants of the Cyclops/Ransom Knight ransomware as well as backdoor malware.

The researchers said the malicious files’ names indicate that the ransomware is being distributed using phishing emails, matching tactics used in past Qakbot campaigns. Some file names are written in Italian, leading Cisco Talos researchers to believe that people in Europe are being targeted.

“The threat actors behind the Qakbot malware have been conducting a campaign since early August 2023 in which they have been distributing Ransom Knight ransomware and the Remcos backdoor via phishing emails,” they said.

“Notably, this activity appeared to begin before the FBI seized Qakbot infrastructure in late August and has been ongoing since, indicating the law enforcement operation may not have impacted Qakbot operators’ spam delivery infrastructure but rather only their command and control (C2) servers.”

When examining the metadata of the malicious files, the researchers got information about the machines used and said it matched those used in previous Qakbot campaigns.

They warned that Qakbot is “likely continue to pose a significant threat moving forward, as the developers were not arrested and Talos assesses they are still operational, opening the possibility that they may choose to rebuild the Qakbot infrastructure.”

Never completely gone

The August operation against Qakbot involved the seizure of infrastructure and cryptocurrency assets used by the group. But almost immediately, experts…

Source…