The notorious Qakbot malware has resurfaced in a new phishing campaign targeting the hospitality industry, just months after a major takedown operation by law enforcement. The malware, also known as Qbot or Pinkslipbot, is designed to steal banking credentials and enable cybercriminals to gain persistent access to infected systems.
New Phishing Campaign Identified
Security researchers have identified a new phishing campaign distributing Qakbot malware via emails purporting to contain information about job applications or invoice payments. The emails contain Microsoft Office documents with malicious macros that, when enabled, download the malware onto the target system.
The campaign appears tailored to the hospitality sector, with emails using subjects related to catering, hotel, and restaurant jobs and invoices. This indicates the attackers are specifically targeting hotels, restaurants, and catering companies in an attempt to breach their systems and access sensitive customer payment information.
Key Details About New Qakbot Campaign
- Targets: Hospitality industry, including hotels, restaurants, catering
- Initial infection: Phishing emails with malicious Office docs
- Malware functionality: Stealing banking credentials, maintaining persistence
- Damage potential: Access to payment card data of customers
Previous Major Takedown by Law Enforcement
This new campaign marks a comeback just a few months after a globally-coordinated law enforcement operation took down what was described as “the world’s most dangerous malware”.
In August 2022, authorities were able to infiltrate the Qakbot infrastructure and disable it by taking control of the hundreds of servers powering the malware. The operation involved multiple law enforcement agencies and private sector partners across Europe and North America.
At the time, the takedown was hailed as a major success delivering an estimated $20-$30 million dollar blow to cyber criminal networks reliant on deploying Qakbot. However, it appears threat actors behind the malware have managed to rebuild significant capabilities in a relatively short period.
Renewed Threat Highlights Resilience of Cyber Criminals
The speed at which Qakbot has re-emerged underscores the resilience and patience of the cyber criminal networks that deploy such tools. It is likely they maintained backup infrastructure precisely for the purpose of rebuilding if disrupted by law enforcement or security defenders.
Experts warn that even after suffering setbacks, these threat actors will methodically work to replenish their capabilities until they reach previous attack volumes. In particular, malware like Qakbot designed to steal financial data continues to prove highly profitable and popular among cyber criminals.
This means that despite the August 2022 takedown impacting the immediate operations of Qakbot, in the longer term the threat actors behind it have reorganized and restored much of the malware’s distribution infrastructure.
Timeline of Recent Qakbot Activity
August 2022 - Major takedown operation by law enforcement disables Qakbot infrastructure
Late 2022 - Backup infrastructure slowly rebuilt by threat actors
December 2022 - New large-scale phishing campaign distributing Qakbot detected targeting hospitality sector
What’s Next? Wider Targets Across More Sectors
Now that Qakbot is back circulating more widely, experts fear it won’t be long before campaigns expand to target other sectors as well. Previously Qakbot has been used against organizations across finance, retail, healthcare, and government.
The initial hospitality focus suggests the malware operators are starting slowly this time while they continue building out infrastructure. But Qakbot has proven effective at infiltrating entire company networks, not just individual endpoints, meaning a broad array of sensitive data is at risk.
In particular, the malware comes with an extensive set of monitoring and spying capabilities allowing attackers to stealthily expand their access after the initial breach. This includes keylogging, screen grabbing, and credential theft features which enable wider traversal of compromised networks.
Observers say they expect campaigns to ramp up over 2023, and for an increasing number of ransomware gangs to deploy Qakbot as part of their extortion operations. This means companies need to equip themselves now with updated defenses before attacks spread further.
Bolstering Defenses Against Evolving Threat
With the Qakbot malware proving its staying power despite attempted takedowns, the cybersecurity community is stressing that organizations urgently review protective measures.
Detailed recommendations include:
-
User awareness training – Enable employees to spot social engineering tactics and phishing lures used to distribute threats like Qakbot. Make reporting suspicious emails a simple process.
-
Email security -Deploy email filtering solutions to detect malicious attachments and links. Configure DMARC, DKIM and SPF to help block spoofed emails pretending to come from trusted sources.
-
Prompt patching – Apply latest software updates to remove vulnerabilities leveraged by Qakbot and other malware. Automate patching for consistent coverage across endpoints and networks.
-
Behavioral monitoring – Look for use of rare commands, unusual databases access, suspicious registry or system changes and other anomalous behaviors indicative of malware.
-
Backup critical data – Ensure current backups exist across the enterprise so damaged or encrypted files can be recovered in the aftermath of an attack. Test restoration to maintain confidence in continuity plans.
With cyber criminals demonstrating persistence in operating malware like Qakbot over the long term, defenders must match this by implementing layered defenses and constantly adapting to new attacker tactics as they emerge. Though campaigns may ramp up and wane, the threat itself is unlikely to ever fully dissipate without concerted efforts to enhance cyber resilience across vulnerable sectors.
To err is human, but AI does it too. Whilst factual data is used in the production of these articles, the content is written entirely by AI. Double check any facts you intend to rely on with another source.
