Qakbot hackers now pushing Cyclops/Ransom Knight ransomware, Cisco says

The hackers behind the Qakbot malware have shifted their focus to distributing ransomware, in response to safety researchers.

The report comes simply weeks after regulation enforcement companies within the U.S., France, Germany, the Netherlands, the UK, Romania, and Latvia joined forces to take down Qakbot — probably the most prolific and longest-running botnets.

The companies not solely shut down Qakbot’s laptop infrastructure but additionally proactively eliminated the malware from contaminated gadgets.

On Thursday, researchers from Cisco Talos stated that despite the fact that the Qakbot malware infrastructure was dismantled, the hackers behind it have been capable of preserve their distribution instruments intact, now utilizing them to unfold variants of the Cyclops/Ransom Knight ransomware in addition to backdoor malware.

The researchers stated the malicious information’ names point out that the ransomware is being distributed utilizing phishing emails, matching techniques utilized in previous Qakbot campaigns. Some file names are written in Italian, main Cisco Talos researchers to consider that individuals in Europe are being focused.

“The risk actors behind the Qakbot malware have been conducting a marketing campaign since early August 2023 wherein they’ve been distributing Ransom Knight ransomware and the Remcos backdoor through phishing emails,” they stated.

“Notably, this exercise appeared to start earlier than the FBI seized Qakbot infrastructure in late August and has been ongoing since, indicating the regulation enforcement operation could not have impacted Qakbot operators’ spam supply infrastructure however slightly solely their command and management (C2) servers.”

When analyzing the metadata of the malicious information, the researchers received details about the machines used and stated it matched these utilized in earlier Qakbot campaigns.

They warned that Qakbot is “probably proceed to pose a major risk shifting ahead, because the builders weren’t arrested and Talos assesses they’re nonetheless operational, opening the likelihood that they might select to rebuild the Qakbot infrastructure.”

By no means utterly gone

The August operation in opposition to Qakbot concerned the seizure of infrastructure and cryptocurrency belongings utilized by the group. However virtually instantly, consultants questioned whether or not the dearth of arrests tied to the operation would permit the actors behind the malware to easily retool.

Austin Berglas, a former particular agent within the FBI Cyber Division, beforehand advised Recorded Future Information that there’s at all times a priority a couple of potential resurgence of teams, significantly these working highly effective botnets.

“It’s similar to a avenue gang promoting medication on a avenue nook. If the police enhance presence and stop the gang from promoting medication on that individual nook, there’s nothing stopping them from going to a different a part of town, set up operations, and resume the exercise,” stated Berglas, who’s now international head {of professional} providers at BlueVoyant.

“True dismantlement of a corporation requires figuring out, arresting, and prosecuting the personnel, in addition to taking down the technical infrastructure.”

Senior FBI and Justice Division officers referred to as it “essentially the most important technological and monetary operation ever led by the Division of Justice in opposition to a botnet” however declined to say if any arrests had been made, solely citing in-person efforts by authorities in Latvia to take down servers.

Machine serial numbers

Cisco Talos researchers stated they consider that the hackers behind one Qakbot marketing campaign that ran from 2021 to 2022 are nonetheless energetic.

One machine with a drive serial variety of “0x2848e8a8” was later utilized in one other marketing campaign Cisco recognized. However from then on, the hackers started to wipe out the metadata of their LNK information — also called Home windows shortcuts — to make detection and monitoring more durable.

“Talos recognized new LNK information in August 2023 that had been created on the identical machine referenced above, however noticed that the payload of the information pointed to a community share within the command line that served a variant of Cyclops/Ransom Knight ransomware,” they stated.

“The filenames of those LNK information, with themes of pressing monetary issues, recommend they’re being distributed in phishing emails, which is in line with earlier Qakbot campaigns.”

The information are being shared inside zip archives that additionally include an XLL file. XLL is an extension used for Excel add-ins, and comes with an icon just like different Excel file codecs.

These XLL information are the Remcos backdoor, which is executed alongside the Ransom Knight ransomware. The backdoor provides the hackers entry to the machine after it’s contaminated.

In response to Cisco Talos, Ransom Knight is an up to date model of the Cyclops ransomware-as-a-service, rewritten from scratch. The risk actor behind the Cyclops service introduced the brand new variant in Could 2023.

Recorded Future ransomware professional Allan Liska stated the ransomware — which most researchers seek advice from as Knight — is taken into account decrease tier. Its predecessor has been round since 2015 however the brand new model of it has been energetic since August.

“They’re a decrease tier ransomware, however the involvement of the crew behind Qakbot might change that, particularly if Qakbot turns into absolutely operational once more,” he stated. “I’m not saying that Qakbot is behind this ransomware, as a substitute that the individuals behind this ransomware are utilizing the providers of the Qakbot crew.”

Likewise, the Cisco Talos researchers stated they don’t consider the Qakbot actors are behind that ransomware gang however as a substitute are merely prospects.

“As this new operation has been ongoing because the starting of August 2023 and has not stopped after the takedown, we consider the FBI operation didn’t have an effect on Qakbot’s spam supply infrastructure however solely its command and management servers,” they stated.

“We assess Qakbot will probably proceed to pose a major risk shifting ahead. Given the operators stay energetic, they might select to rebuild Qakbot infrastructure to totally resume their pre-takedown exercise.”