The dreaded QakBot malware is back once again, being distributed among victims in the hospitality industry, experts have warned.
A new Microsoft report claims threat actors are sending out phishing emails and impersonating IRS employees using QakBot. In the emails, they’re delivering a PDF file claiming to be a guest list – but the document states that it cannot be viewed in the email client’s preview pane, instead requesting to be downloaded first.
In fact, the victims who download and run the file are actually downloading an MSI file that launches the malware DLL into memory. Microsoft said the campaign started a week ago, on December 11, adding that the malware was most likely created on the same day.
Duck season is back
QakBot was first built in 2008, and was originally designed to be a banking trojan. As such, its goal was to steal login credentials to various banking services from its victims. Over time, however, it evolved into a malware dropper, now being used by some of the world’s biggest and most dangerous ransomware operators.
Last summer, a team of international law enforcement agents, led by the FBI, managed to dismantle QakBot’s infrastructure. By infiltrating the threat actor’s network, the police pushed an update to all infected endpoints that effectively killed the malware. The operation, named Duck Hunt, was hailed as a great success by the FBI.
While it did manage to stop QakBot from being distributed and used for a couple of months, it seems that the time for celebration has passed. The new version has a few minor changes, security researchers told BleepingComputer, but added that it also comes with a few “unusual bugs”. The bugs, the publication reported, could suggest that the malware is still being actively developed and that new versions might pop up sooner or later.