The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Qakbot Threat Actors Distributing Ransom Knight And Remcos

Oct 20, 2023 4:30:11 PM / by PolySwarm Tech Team

QAKBOT

Executive Summary

Threat actors affiliated with Qakbot were observed distributing Ransom Knight ransomware and Remcos RAT.

Key Takeaways

  • Threat actors affiliated with Qakbot were observed distributing Ransom Knight ransomware and Remcos RAT.
  • This activity has persisted, despite the law enforcement takedown of Qakbot infrastructure in August.  
  • The threat actors used malicious LNK files, likely distributed via phishing emails, to deliver the malware.

The Campaign

Threat actors affiliated with Qakbot were observed distributing Ransom Knight ransomware and Remcos RAT since at least early August 2023. Despite the FBI seizing Qakbot infrastructure in late August, this activity has continued. Cisco Talos recently reported on this activity. 

In this campaign, the threat actors used malicious LNK files, likely distributed via phishing emails, to deliver the malware. When the LNK file is launched, it begins the infection chain and deploys Ransom Knight. ZIP archives containing the LNK files were also observed using XLL files to distribute Remcos RAT. Cisco Talos researchers noted the use of file names written in Italian, which may indicate the threat actors intended to target Italian speaking users. 

Attribution of this activity was based on metadata found in LNK files used in the campaign, which matches metadata used in previous Qakbot campaigns. While Qakbot suffered a takedown in August, this campaign seems to indicate that at least part of their infrastructure remains and that the threat actors are not deterred from future campaigns. It remains to be seen whether Qakbot malware itself will rise again.

What is Ransom Knight?

Ransom Knight, based on Cyclops ransomware, is ransomware as a service (RaaS). It has been in the wild since August 2023 and has been advertised on the RAMP forum. Ransom Knight is typically delivered via spearphishing. Windows, Linux, and MacOS encryptor payloads are available. Encrypted files have a .knight, .knightl, or .knight_l extension appended to the file name, and a ransom note is written to each folder containing encrypted files.

What is Remcos?

Remcos (Remote Control & Surveillance Software) is a sophisticated backdoor that provides full and persistent remote access to infected machines. While marketed as legitimate surveillance software, it is often used by malicious actors. Remcos is known to use process injection or process hollowing to help evade detection. Remcos is capable of key logging, capturing screenshots, recording audio, stealing clipboard contents, collecting passwords, and stealing other information. Remcos also allows threat actors to optionally deploy additional payloads. 

IOCs

PolySwarm has multiple samples associated with this activity .

 

19bae62fc0a3a64c80b666237c2f04706e3b89c5a6ea6be055df22122e5f8a63

e38a1648fc6494f881e3b793688ef4d69e925137c4c7494f4dd6c6604142a2bc

ec4ac7ade34402ad3757e97d03de7aa3dfee0ed53f28f32c99d8dbbb96958dcb

7b4d227fddcc4e93ea0cdf017026ff2dad6efd6bc7de71b689dc0595a2a4fb4d

a2c654357d790d7c4cec619de951649db31ecdb63935f38b11bb37f983ff58de

c42ad519510936f14ab46fbad53606db8132ea52a11e3fc8d111fbccc7d9ab5a

34ea4cad8558fcab75631a44eae492a54e1cf9ae2f52e7d5fa712686acd06437

ef74d2b8d1767667fb6817916f7d2d2c998358e07422a6af246151e0299f26aa

 

You can use the following CLI command to search for all related samples in our portal:

$ polyswarm link list -t Qakbot

 

 

Topics: Threat Bulletin, Qbot, RAT, Remcos RAT, Ransom Knight, Qakbot

PolySwarm Tech Team

Written by PolySwarm Tech Team

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts