this post was submitted on 19 Dec 2023
4 points (100.0% liked)

Netsec

104 readers
2 users here now

netsec is a community-curated aggregator of technical information security content. Our mission is to extract signal from the noise — to provide value to security practitioners, students, researchers, and hackers everywhere. ‎

Rules

  1. Don't do unto others what you don't want done unto you.
  2. No Porn, Gore, or NSFW content. Instant Ban.
  3. No Spamming, Trolling or Unsolicited Ads. Instant Ban.
  4. Stay on topic in a community. Please reach out to an admin to create a new community.

founded 2 years ago
MODERATORS
 

Multiple sources are confirming the resurgence of Qakbot malware mere months after the FBI and other law enforcement agencies shuttered the Windows botnet.

Microsoft Threat Intelligence reckons a new Qakbot phishing campaign is active as of December 11 but attack attempts are currently low in volume.

The gang targets the hospitality sector, initially using phishing emails containing malicious PDF attachments that they've doctored to look like they come from the US Internal Revenue Service (IRS).

When opened, the PDF presents the target with an error screen indicating a preview of the document isn't available, alongside a button to download the document from "AdobeCloud."

Multiple sources are confirming the resurgence of Qakbot malware mere months after the FBI and other law enforcement agencies shuttered the Windows botnet.

Microsoft Threat Intelligence reckons a new Qakbot phishing campaign is active as of December 11 but attack attempts are currently low in volume.

The gang targets the hospitality sector, initially using phishing emails containing malicious PDF attachments that they've doctored to look like they come from the US Internal Revenue Service (IRS).

When opened, the PDF presents the target with an error screen indicating a preview of the document isn't available, alongside a button to download the document from "AdobeCloud."

Germán Fernández, security researcher at CronUp, said the same PDF template was used by Pikabot operators just days earlier – Windows malware that shares many similarities with Qakbot. Both are being associated with attacks from the group Proofpoint tracks as TA577.

Clicking the button in the PDF led to the download and installation of Qakbot, which Microsoft said may have been an updated payload. The previously unseen version, 0x500, was generated on December 11, according to its analysis.

The team at Zscaler ThreatLabz confirmed that the payload was updated, and the new version has a 64-bit architecture, uses AES for network encryption, and sends POST requests to path /teorema505.

Two researchers at Proofpoint, Tommy Madjar and Pim Trouerbach, also confirmed they had spotted updated Qakbot activity, but the new features only amount to "minor tweaks."

They added that the new Qakbot activity goes back to November 28, roughly two weeks further than December 11 – the date Microsoft first spotted it.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 1 points 11 months ago

I hope windows gets more viruses. Companies need to stop supporting that piece of *####