- La colaboración entre Seguridad y FinOps puede generar beneficios ocultos en la nube
- El papel del CIO en 2024: una retrospectiva del año en clave TI
- How control rooms help organizations and security management
- ITDM 2025 전망 | “효율경영 시대의 핵심 동력 ‘데이터 조직’··· 내년도 활약 무대 더 커진다” 쏘카 김상우 본부장
- 세일포인트 기고 | 2025년을 맞이하며… 머신 아이덴티티의 부상이 울리는 경종
Qakbot’s Low-Volume Resurgence Targets Hospitality
Cybersecurity researchers spotted new Qakbot activity targeting the hospitality industry last week.
According to a Saturday post on X (formerly Twitter) by CronUp cyber threat intelligence specialist Germán Fernández, the new attacks are characterized by low volume and have been traced back to a campaign labeled tchk06, Version 0x500.
Fernández identified a specific operational approach in which the malicious files advance through email, PDF, URL and MSI.
Notably, these harmful files are authenticated with the signature “SOFTWARE AGILITY LIMITED.” The PDF template employed in these attacks is identical to the one recently used by the PikaBot malware.
So, we have new #Qakbot activity with low-volume attacks targeting the hospitality industry 🔥.
EMAIL > PDF > URL > MSI (#Signed by “SOFTWARE AGILITY LIMITED”). Campaign: tchk06, Version: 0x500.
PDF template is the same one used by #PikaBot a few days ago, of course.
Some… pic.twitter.com/PYW6uGO5mi
— Germ�n Fern�ndez (@1ZRR4H) December 16, 2023
Microsoft Threat Intelligence also reported on the Qakbot phishing campaigns on Saturday, identifying their initiation on December 11. The phishing attempts have been notably subtle, with targets receiving a PDF from an imposter posing as an IRS employee.
On the same day, Zscaler ThreatLabz shed light on the technical aspects of the renewed Qakbot, revealing it to be a 64-bit version utilizing AES for network encryption. The malware sends POST requests to the path /teorema505, indicating a shift in tactics compared to previous iterations.
The significance of this Qakbot resurgence lies in its adaptation to evade prior disruption efforts, employing a familiar PDF template to exploit vulnerabilities within the hospitality sector.
The new attacks are a notable development following previous efforts to dismantle the malware earlier this year. Notably, Operation Duck Hunt, an FBI-led initiative, successfully shut down Qakbot malware on August 30 2023.
Read more on this operation: FBI-Led Operation Duck Hunt Shuts Down QakBot Malware
Despite the apparent success of this operation, subsequent reports in October highlighted that the Qakbot gang remained active, indicating the persistent challenges in completely eradicating such threats.
Infosecurity will continue to follow developments regarding the QakBot malware and provide updates about the latest attacks as soon as they are available.