QakBot Malware Resurfaces with New Tactics, Targeting the Hospitality Industry

silversurfer · Dec 18, 2023

A new wave of phishing messages distributing the QakBot malware has been observed, more than three months after a law enforcement effort saw its infrastructure dismantled by infiltrating its command-and-control (C2) network.

Microsoft, which made the discovery, described it as a low-volume campaign that began on December 11, 2023, and targeted the hospitality industry.

"Targets received a PDF from a user masquerading as an IRS employee," the tech giant said in a series of posts shared on X (formerly Twitter).
"The PDF contained a URL that downloads a digitally signed Windows Installer (.msi). Executing the MSI led to Qakbot being invoked using export 'hvsi' execution of an embedded DLL."

Andy Ful · Dec 18, 2023

Analysis: Analysis GuestsListLasVegas_05.msi (MD5: 82B8BD90E500FB0BF878D6F430C5ABEC) Malicious activity - Interactive analysis ANY.RUN
MSI: VirusTotal
DLL: VirusTotal

cruelsister · Dec 18, 2023

Certainly have been a bunch of malicious files with valid certificates lately...

Brahman · Dec 19, 2023

cruelsister said:
Certainly have been a bunch of malicious files with valid certificates lately...

Recently I have seen many cracks with digital certificate matching with original software. How do they obtain such certificates?

cruelsister · Dec 19, 2023

Similar to Qakbot there has just arisen a new PikaBot:

New Malvertising Campaign Distributing PikaBot Disguised as Popular Software

This one calls out to malware Command in Hong Kong and has a valid digital signature and counter signature:

ErzCrz · Dec 19, 2023

cruelsister said:
Similar to Qakbot there has just arisen a new PikaBot:

New Malvertising Campaign Distributing PikaBot Disguised as Popular Software

This one calls out to malware Command in Hong Kong and has a valid digital signature and counter signature:

I'm presuming CF contains these?

Vitali Ortzi · Dec 19, 2023

Brahman said:
Recently I have seen many cracks with digital certificate matching with original software. How do they obtain such certificates?

Could you send me an example?
As any difference between a binary should require a resign
So It seems impossible unless they steal a certificate

Brahman · Dec 19, 2023

Vitali Ortzi said:
Could you send me an example?
As any difference between a binary should require a resign
So It seems impossible unless they steal a certificate

link sent via pm

NoVirusThanks · Dec 21, 2023

Very interesting sample, @Andy Ful thanks for sharing it.

Made a quick test with OSArmor - Basic Protection Profile:

A good option is to also enable "Block signers not present in Trusted Vendors":

And reset the trusted vendors list to only vendors present on your PC (for advanced users).

Search

Search

QakBot Malware Resurfaces with New Tactics, Targeting the Hospitality Industry

silversurfer

Super Moderator

Andy Ful

From Hard_Configurator Tools

cruelsister

Level 43

Brahman

Level 20

cruelsister

Level 43

ErzCrz

Level 25

Vitali Ortzi

Level 31

Brahman

Level 20

NoVirusThanks

From NoVirusThanks

You may also like...