The infamous QakBot malware was spotted in a recent wave of phishing campaigns launched merely months after its disruption.
Earlier this year, authorities took down the malicious operation as part of a joint law enforcement operation dubbed Duck Hunt after infiltrating the administrator servers and mapping out the botnet’s infrastructure.
The operation involved pushing a custom Windows DLL file to infected devices, effectively uninstalling QakBot instances on compromised machines and terminating their connection to the botnet.
Calm prevailed until recently, when security experts noticed the QakBot malware distributed in a new phishing campaign. In the novel campaign, threat actors pose as IRS employees in phony email messages.
The email hosts a rogue MSI file disguised as a PDF guest list that can’t be previewed, seeking to trick potential victims into downloading and opening the file on their devices. As expected, interacting with the malicious document injects the QakBot malware DLL into the device’s memory.
Reportedly, perpetrators generated the DLL the same day the phishing campaign started and used a version that was previously unseen, indicating that the malware is still undergoing development.
As BleepingComputer reported, security researcher Pim Trouerbach acknowledges that the new QakBot DLL encompasses minor changes, such as a shift from XOR to AES for string decryption.
Furthermore, Trouerbach pointed out that the new version comprised some “unusual bugs,” a clear indicator that the new version hasn’t been fully developed yet.
The waters are still muddied, as there’s no way to know if QakBot’s comeback will succeed. Other threat actors, such as Emotet, previously attempted to resurrect their malicious operations and failed spectacularly. However, it’s still too early to tell if the new QakBot variant will share the same fate.
Until then, personal vigilance combined with dedicated software like Bitdefender Ultimate Security is highly recommended to counter digital threats new and old.