The dreaded QakBot malware is back once again, being distributed among victims in the hospitality industry, experts have warned.
A new Microsoft report claims threat actors are sending out phishing emails and impersonating IRS employees using QakBot. In the emails, they’re delivering a PDF file claiming to be a guest list - but the document states that it cannot be viewed in the email client’s preview pane, instead requesting to be downloaded first.
In fact, the victims who download and run the file are actually downloading an MSI file that launches the malware DLL into memory. Microsoft said the campaign started a week ago, on December 11, adding that the malware was most likely created on the same day.
Duck season is back
QakBot was first built in 2008, and was originally designed to be a banking trojan. As such, its goal was to steal login credentials to various banking services from its victims. Over time, however, it evolved into a malware dropper, now being used by some of the world’s biggest and most dangerous ransomware operators.
Last summer, a team of international law enforcement agents, led by the FBI, managed to dismantle QakBot’s infrastructure. By infiltrating the threat actor’s network, the police pushed an update to all infected endpoints that effectively killed the malware. The operation, named Duck Hunt, was hailed as a great success by the FBI.
While it did manage to stop QakBot from being distributed and used for a couple of months, it seems that the time for celebration has passed. The new version has a few minor changes, security researchers told BleepingComputer, but added that it also comes with a few "unusual bugs". The bugs, the publication reported, could suggest that the malware is still being actively developed and that new versions might pop up sooner or later.
More from TechRadar Pro
- This malware is evolving to become more dangerous than ever
- Here's a list of the best firewalls today
- These are the best endpoint protection services right now
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.