In a concerning turn of events, a resurgence of QakBot malware has emerged, posing a renewed threat to the cybersecurity landscape. Microsoft, in a recent revelation, uncovered a low-volume phishing campaign targeting the hospitality industry. Commencing on December 11, 2023, this wave of attacks signals a strategic evolution in QakBot’s tactics, with the perpetrators employing sophisticated methods to infiltrate systems. In this comprehensive blog post, we explore the nuances of this resurgence, its implications for the hospitality sector, and the imperative need for heightened cybersecurity measures.

Unveiling the Campaign:
Microsoft’s detection of the QakBot resurgence comes on the heels of a commendable law enforcement effort that dismantled the malware’s infrastructure three months prior. Despite this setback, a new wave of phishing messages has surfaced, indicating the malware’s adaptability and resilience.

The Target: Hospitality Industry:
The specific targeting of the hospitality industry in this campaign raises concerns about the potential impact on businesses in this sector. Microsoft’s series of posts on X (formerly Twitter) detailed how targets within the hospitality realm received a PDF from a malicious actor posing as an IRS employee. This PDF contained a deceptive URL leading to the download of a digitally signed Windows Installer (.msi).

Execution and Payload Configuration:
Upon executing the MSI, QakBot was activated using the export ‘hvsi’ execution of an embedded DLL. Notably, Microsoft highlighted that the payload was generated on the same day the campaign commenced, configured with the previously unseen version 0x500. This underscores the malware’s adaptability and the constant need for updated cybersecurity protocols.

Operation Duck Hunt: Past Disruption and Current Resurgence:
QakBot, also known as QBot and Pinkslipbot, faced disruption in the past through Operation Duck Hunt. Law enforcement gained access to its infrastructure, instructing infected computers to download an uninstaller file, effectively neutralizing the threat. However, the recent resurgence showcases the malware’s ability to bounce back, mirroring the pattern seen with Emotet.

QakBot’s Modus Operandi:
Traditionally distributed via spam email messages containing malicious attachments or hyperlinks, QakBot has proven to be a versatile tool for cybercriminals. Capable of harvesting sensitive information and delivering additional malware, including ransomware, its resurgence is a stark reminder of the evolving nature of cyber threats.

Cisco Talos Insights:
In October 2023, Cisco Talos shed light on QakBot affiliates leveraging phishing lures to deliver a potent mix of ransomware, remote access trojans, and stealer malware. This emphasizes the multifaceted threat posed by QakBot and the need for a comprehensive defense strategy.

Parallels with Emotet:
The return of QakBot draws striking parallels with Emotet, another formidable malware that resurfaced in late 2021 despite dismantling efforts. While both operate at a lower level than their previous peaks, their enduring threat emphasizes the need for continuous vigilance.

The Future Landscape:
As we witness the resurgence of QakBot, the question remains whether it will reclaim its former glory. Regardless, the resilience of such botnets serves as a stark reminder for organizations to fortify their defenses against spam emails used in Emotet and QakBot campaigns.

In the ever-evolving landscape of cyber threats, the resurgence of QakBot demands a proactive and adaptive cybersecurity approach. Organizations, particularly in the hospitality industry, must prioritize employee awareness, implement advanced email filtering systems, and stay abreast of the latest cybersecurity protocols. By doing so, businesses can mitigate the risks posed by QakBot and similar malware, safeguarding their sensitive data and overall digital infrastructure from potential breaches. As the digital battleground evolves, a resilient defense is paramount in the face of persistent threats like QakBot.