🦆🤖 Qakbot makes a return....a not-so-welcome Christmas present!
Spamhaus researchers are observing low-volume Qakbot campaigns targeting specific business sectors. But, we do have some positive news....
Many of the observed botnet controllers are now offline, and the remaining ones are already known as rogue ISPs, and listed on the Spamhaus Extended DROP List 👉 https://www.spamhaus.org/drop/
👀 Watch this space; if anything changes, we'll keep you updated!
New high-volume phishing campaigns mimic tactics of defunct #QakBot trojan, hijacking email threads and using unique URLs to deliver DarkGate and PikaBot #malware.
The activity reported in this Talos article is not associated with #Qakbot.
Why do I say this?
This Talos article is "...connecting the metadata in the LNK files used in the new campaign to the machines used in previous Qakbot campaigns."
Talos identifies these campaigns as "AA" and "BB." But the other data Talos presents isn't associated with infrastructure for the "AA" and "BB" campaigns that have pushed Qakbot before.
That "AA" and "BB" infrastructure has been active since last month, pushing #DarkGate, #Pikabot, and #IcedID. This distribution network is run by a threat actor Proofpoint identifies as #TA577. TA577 was one of the distributors of Qakbot before Qakbot got taken down.
I would never have called TA577 the threat actor behind Qakbot, but Talos implies this in the article. TA577 is merely a threat actor that distributed Qakbot tagged as part of the "AA" and "BB" series campaigns.
From what I can tell, this Knight ransomeware activity is not connected with the AA/BB/TA577 distributor who has previously spread Qakbot and other malware.
Ende August wurde das Netzwerk von #Qakbot u.a. durch das Bundeskriminalamt zerschlagen. Im Jahr 2022 waren über 700.000 Computersysteme betroffen. Das FBI, Europol und Eurojust haben erfolgreich internationale Server abgeschaltet.
Mehr dazu: 👉 https://www.bsi.bund.de/dok/1094978
📨 Latest issue of my curated #cybersecurity and #infosec list of resources for week #35/2023 is out! It includes the following and much more:
➝ 🔓 🏌🏻♂️Golf gear giant #Callaway data breach exposes info of 1.1 million
➝ 🔓👕 Forever 21 data breach affects half a million people
➝ 🔓 🤦🏻♂️ #LogicMonitor customers hit by hackers, because of default passwords
➝ 🇺🇸 ⚖️ Lawsuit Accuses University of Minnesota of Not Doing Enough to Prevent #DataBreach
➝ 🎬 🔓 #Paramount discloses data breach following security incident
➝ 🏥 🔓 #Healthcare Organizations Hit by Cyberattacks Last Year Reported Big Impact, Costs
➝ 🇺🇸 🌎 #Microsoft joins a growing chorus of organizations criticizing a #UN cybercrime treaty
➝ 🇺🇸 🦠 U.S. Hacks #QakBot, Quietly Removes Botnet Infections
➝ 🇷🇺 🇺🇦 #Russia targets #Ukraine with new Android #backdoor, intel agencies say
➝ 🇷🇺 🕵🏻♂️ Unmasking #Trickbot, One of the World’s Top Cybercrime Gangs
➝ 🇨🇳 👀 ‘Earth Estries’ #Cyberespionage Group Targets Government, Tech Sectors
➝ 🇨🇳 Chinese Hacking Group Exploits Barracuda Zero-Day to Target Government, Military, and Telecom
➝ 💸 🇪🇺 Pay our ransom instead of a #GDPR fine, #cybercrime gang tells its targets
➝ 🇺🇸 🇨🇳 #Meta: Pro-Chinese influence operation was the largest in history
➝ 🇪🇸 📸 Spain warns of #LockBit Locker ransomware phishing attacks
➝ 🇵🇱 🚂 Two Men Arrested Following #Poland Railway Hacking
➝ 🇰🇵 🐍 #Lazarus hackers deploy fake #VMware PyPI packages in #VMConnect attacks
➝ 💸 #Classiscam fraud-as-a-service expands, now targets banks and 251 brands
➝ 💬 🎠 Trojanized #Signal and #Telegram apps on Google Play delivered spyware
➝ 🦠 📄 MalDoc in PDFs: Hiding malicious Word docs in PDF files
➝ 🇧🇷 👀 A Brazilian phone #spyware was hacked and victims’ devices ‘deleted’ from server
➝ 👨🏻💻 🔐 #GitHub Enterprise Server Gets New Security Capabilities
➝ 🚗 💰 Over $1 Million Offered at New #Pwn2Own#Automotive Hacking Contest
➝ 🩹 #Splunk Patches High-Severity Flaws in Enterprise, IT Service Intelligence
➝ ⛏️ 🔓 Recent #Juniper Flaws Chained in Attacks Following #PoC Exploit Publication
📚 This week's recommended reading is: "Spam Nation: The Inside Story of Organized Cybercrime―from Global Epidemic to Your Front Door" by @briankrebs
Subscribe to the #infosecMASHUP newsletter to have it piping hot in your inbox every week-end ⬇️
In light of all the news about qakbot being dismantled, it’s time to let people know about something we did at @huntress : @JohnHammond discusses the qakbot “vaccine” we used to prevent the spread of qakbot in our customer base:
Ermittler zerschlagen Schadnetzwerk "Qakbot" in Deutschland
Jahre lang erpressten Hacker über das Botnetzwerk "Qakbot" Unternehmen und Regierungsbehörden. Nun haben Ermittler in einer internationalen Aktion die Server der Schadsoftware übernommen - Schwerpunkt war Deutschland.
Qakbot botnet infrastructure shattered after international operation
#Europol has supported the coordination of a large-scale international operation that has taken down the infrastructure of the #Qakbot malware and led to the seizure of nearly €8M in cryptocurrencies. The international investigation, also supported by Eurojust, involved judicial and law enforcement authorities from FR (Paris DA J3, Gendarmerie and Police), DE, LV, NL, RO, UK and US.
The FBI conducted a take down of the #Qakbot#malware yesterday by taking over the C2 servers and pushing out a new DLL to unload the implant on all infected systems.
Time will tell if we see a reemergence of Qakbot, or something else in its place.
Quak 🦆! The FBI and the U.S. Department of Justice announced a multinational operation to disrupt and dismalte the Qakbot botnet 💣 💥 Goodbye #Qakbot, I hope we won't see you ever again 👋. And this is how it looks like from Feodo Tracker' perspective ⬇️. All #botnet C2s are offline 🛑
Last year I was invited to present a talk at a conference called #MicrosoftDCC and spoke about a particularly vicious #botnet#malware called #qakbot.
My colleague Steeve and I had cracked the methodology for decoding their command-and-control functionality. We published our work in a blog post and presented it at #VirusBulletin, #RMISC, and #DCC.
Today, the #FBI announced that in an international operation with France, Germany, the Netherlands, Romania, Latvia, and the United Kingdom they have shut down the botnet.
FBI makes a massive botnet infecting more than 700,000 computers uninstall itself (www.theverge.com)
The FBI led the effort to dismantle Qakbot.