The cybercriminals behind the Qakbot malware have been observed distributing ransomware and backdoors following the recent infrastructure takedown attempt by law enforcement, according to Cisco’s Talos research and threat intelligence group.
In late August, authorities in the United States and Europe announced the results of an international operation whose goal was the
disruption of the notorious Qakbot botnet, aka Qbot and Pinkslipbot.
The law enforcement operation involved the takeover of Qakbot infrastructure, the seizure of millions of dollars worth of cryptocurrency, and the distribution of a utility designed to automatically remove the malware from infected devices.
Talos has been monitoring Qakbot-related activities and on Thursday pointed out that a campaign launched by cybercriminals in early August has continued even after the law enforcement operation was announced.
As part of this campaign, the hackers have delivered Ransom Knight ransomware and the Remcos backdoor using phishing emails. This suggests, according to Talos, that the law enforcement operation impacted only Qakbot command and control (C&C) servers, without affecting spam delivery infrastructure.
“We assess Qakbot will likely continue to pose a significant threat moving forward. Given the operators remain active, they may choose to rebuild Qakbot infrastructure to fully resume their pre-takedown activity,”
Talos said.
