Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label QakBot Botnet. Show all posts
Trend Micro
cryptomining Cyber Threats DarkGate malware malware Malware attacks malware-as-a-service (MaaS). Microsoft Teams Phishing Campaigns QakBot Botnet Ransomware Trend Micro

Compromised Skype Accounts Facilitate DarkGate Malware Spread

 

Cyber attackers wielding the DarkGate malware have utilized compromised Skype accounts as a vector to infiltrate targets between July and September. They accomplished this by dispatching messages with VBA loader script attachments. 

Trend Micro's security researchers, who detected these attacks, noted that this script is responsible for fetching a second-stage AutoIT script. This script, in turn, is tailored to deploy the final DarkGate malware payload.

Trend Micro explained that gaining access to the victim's Skype account provided the attacker with the ability to take control of an ongoing messaging thread. This allowed them to manipulate the naming of files to align with the context of the conversation. 

Although the means by which the initial accounts of instant messaging applications were compromised remains unclear, it is theorized to have occurred either through leaked login credentials available on underground forums or as a consequence of a prior breach of the parent organization.

Furthermore, Trend Micro observed instances where DarkGate operators attempted to deliver their malware payload through Microsoft Teams. This occurred in organizations where the service was set up to accept messages from external users. 

Previously, Truesec and MalwareBytes had identified phishing campaigns targeting Microsoft Teams users. These campaigns utilized malicious VBScript to deploy the DarkGate malware. The attackers targeted users via compromised Office 365 accounts outside their respective organizations and leveraged a tool named TeamsPhisher. 

This tool enabled the bypassing of restrictions on incoming files from external sources, enabling the transmission of phishing attachments to Teams users. The ultimate objective remained infiltrating the entire environment. Depending on the specific threat group employing the DarkGate variant, the threats ranged from ransomware to cryptomining.

Trend Micro's telemetry data indicated that DarkGate frequently led to the detection of tools commonly associated with the Black Basta ransomware group.

The proliferation of the DarkGate malware loader for initial access into corporate networks has been on the rise, especially following the dismantling of the Qakbot botnet in August. This was due to international collaborative efforts. 

Prior to the disruption of Qakbot, an individual claiming to be the developer of DarkGate sought to sell subscriptions on a hacking forum, pricing them at up to $100,000 annually. The malware was marketed with an array of features, including a concealed VNC, capabilities to evade Windows Defender, a tool for pilfering browser history, an integrated reverse proxy, a file manager, and a Discord token snatcher.

Subsequent to this announcement, there has been a noticeable surge in reported DarkGate infections via various delivery methods like phishing and malvertising.

This recent upswing in DarkGate activity highlights the escalating influence of this malware-as-a-service (MaaS) operation within the realm of cybercrime. It underscores the unwavering determination of threat actors to persist in their attacks, demonstrating adaptability in tactics and methods despite disruptions and obstacles.
Read more »
Window-based Trojan
Department of Justice FBI malware Qakbot QakBot Botnet Ransomware Window-based Trojan

FBI Operation: Quakbot Botnet Dismantled, Preventing Severe Ransomware Attacks


A global law enforcement operation executed by US investigators reportedly took down and dismantled the Qakbot botnet, preventing the severe blow of a ransomware scourge. 

On August 29, the Justice Department and FBI confirmed to had taken down Qakbot by issuing a search warrant to essentially take over the servers that ran the botnet. The critical malware Qakbot was then forcibly removed from hundreds of computers by the botnet after being distributed to them by federal agents.

In the investigations, the agencies found that Quakbot had access to over 700,000 infected computers, 200,000 of which were based in the US. 

Qakbot Botnet

Qakbot, aka Qbot, initially commenced its operations in the year 2008, as a Windows-based Trojan designed to acquire access to targeted users’ bank account credentials. It was conventionally spread as malware attachments in phishing emails. 

The malware was also designed to develop a botnet, that would follow the commands of a hacker-controlled server. As a result, the Qakbot developers were able to charge other cybercriminal organizations for access to their hacked systems.

The cybercrime organizations might then unleash ransomware on the affected systems or steal data from them. Qakbot has been connected to a number of ransomware gangs, including Conti, Black Basta, Royal, Revil, and Lockbit, among others, by US authorities and security researchers. The unidentified Qakbot operators received fees related to victim ransom payments totalling around $58 million in return. The botnet's operations are anticipated to have caused hundreds of millions of dollars in total victim losses. 

The Operation 

The application for the operation’s seizure warrant describes that the FBI gained access to the servers operating the Qakbot botnet infrastructure, which was hosted by an anonymous web hosting company, which also included systems used by the Qakbot operators. 

The application further noted that, “Through its investigation, the FBI has gained a comprehensive understanding of the structure and function of the Qakbot botnet[…]Based on that knowledge, the FBI has developed a means to identify infected computers, collect information from them about the infection, disconnect them from the Qakbot botnet and prevent the Qakbot administrators from further communicating with those infected computers.”

Reportedly, Qakbots uses a network in three Tiers in order to control the malware installed on the infected computers.

According to the FBI, Tier 1 systems are regular home or business computers that are infected with Qakbot and also include an additional "supernode" module, making them a part of the botnet's global command and control network. Many of these machines are situated in the United States. In order to hide the primary Tier 3 command and control server, which the administrators use to send encrypted commands to its hundreds of thousands of infected workstations, Tier 1 computers communicate with Tier 2 systems, which act as a proxy for network traffic.

By gaining access to these systems and Qackbot’s encryption keys, the FBI could decode and get a better understanding of the encrypted commands. Moreover, with access to the encryption keys, the FBI can command the Tier 1 “supermode” computers to swap and replace the supernode module with those developed by the FBI, which contains new encryption keys, snatching access to Qakbot from their own administrators. 

“Qakbot was the botnet of choice for some of the most infamous ransomware gangs, but we have now taken it out,” US Attorney Martin Estrada said in the announcement. 

The US is yet to provide further details on the issue. However, the Justice Department noted that “The FBI was able to redirect Qakbot botnet traffic to and through servers controlled by the FBI, which in turn instructed infected computers in the United States and elsewhere to download a file created by law enforcement that would uninstall the Qakbot malware.”  

Read more »
Subscribe to: Posts (Atom)