New variants of Qakbot malware under development

Despite its infrastructure being seized and dismantled in a multinational law enforcement sting in the summer of 2023, the Qakbot malware that some of the world’s most dangerous ransomware crews used as a remote access trojan (RAT) appears to be under active development once more, according to new intelligence from Sophos researchers.

Qakbot, which emerged in the late 2000s, was one of the most well-established and popular tools available to the cyber criminal underground, and was used in many different ways during its lifetime, including as a banking trojan and credential stealer.

Its downfall last year in Operation Duck Hunt saw the US’ FBI gain access to its infrastructure and subvert it to distribute a file to uninstall the malware. Federal agents also seized millions of dollars’ worth of illicit crypto assets.

However, although Operation Duck Hunt was hailed as a great victory, cyber security experts tempered the celebrations, noting that the threat actors behind it were still at large.

Writing in Computer Weekly, Ricado Villadiego, founder and CEO of Lumu Technologies, said: “Botnets like Qbot and Emotet have proven to be resilient before following similar, but smaller, takedown operations and it remains to be seen if this was the killing blow to Qakbot.”

Now, the Sophos X-Ops research team says it has been analysing samples of a new variant of the Qakbot malware that popped up in December 2023.

“The takedown of the Qakbot botnet infrastructure was a victory, but the bot's creators remain free, and someone who has access to Qakbot’s original source code has been experimenting with new builds and testing the waters with these latest variants,” said Sophos X-Ops principal researcher Andrew Brandt.

Among other things, the research team said that Qakbot’s operators were making “concerted efforts” to harden the malware’s encryption, making it harder for defenders and researchers to analyse its source code.

They have also found evidence that the developers are now encrypting all communications between the malware and the command and control (C2) server, using a much stronger method than before, and have reintroduced a feature that prevents Qakbot from running in a virtual environment or sandbox – another technique to defy analysis.

“It’s likely the evolution of Qakbot will continue, until and unless its creators face criminal prosecution. The good news is, for now, these new Qakbot variants are easy to detect and block with previously created signatures in endpoint detection software,” Brandt told Computer Weekly in emailed comments.

Brandt said that although only a few samples of the new Qakbot have so far trickled out, the botnet was so large at one point, and so widely-used, that any activity that suggests somebody might be trying to revive it warrants close surveillance.

The Sophos X-Ops team has published details of their work on the new Qakbot, including a deeper dive into its upgraded encryption capabilities, via Mastodon.