News

Emotet Botnet Now Distributes QakBot Banker

Recently we wrote that the Emotet botnet, which had not shown “signs of life” since February 2020, has returned to work with a new spam campaign. Now it distributes information about QakBot banker.

Watching the newly revived malware, cybersecurity experts report that the botnet has changed its core load and is now spreading the QakBot banking trojan (QBot), which has replaced the regular botnet TrickBot.

Members of the group of independent researchers Cryptolaemus, who for several years closely monitored the activity of the botnet and tried to counter it, discovered the first changes.

“It is not yet clear what exactly QakBot is delivering to infected systems, but it is already known that this may lead to the fact that some users will become victims of ransomware, in particular, ProLock ransomware”, — write Cryptolemus researchers.

Experts write that TrickBot has completely disappeared, and the payload has been replaced by QakBot in all “epochs” of malware: Epoch 1, Epoch 2 and Epoch 3.

Let me remind you that this term is used by researchers to refer to individual clusters of botnet infrastructure, each of which has its own management servers, uses its own distribution methods and payloads.

BleepingComputer reporters write that security experts have already studied the new payload using Any.Run. Results of the analysis are available here, and the addresses of the command and control servers can be found here.

Additional analysis by Intel 471 experts showed that QBot uses the string “partner01” to identify this campaign.

According to experts, this indicates a close relationship between Emotet and the developers of this malware.

“Emotet Update – We are detecting QBot being dropped by Emotet infections on all epochs instead of Trickbot gtag Mor today. @Intel471Inc identified the campaign_id on this QBot as “partner01” which is interesting because in the past we have seen the hhh series”, — write Cryptolaemus representatives in Twitter.

However, Cryptolaemus analysts note that Emotet payloads have changed before, and most likely, the original Emotet-TrickBot tandem will also return to service soon. Researchers call TrickBot and QakBot the preferred partners for Emotet, since all three groups are part of the same Russian-speaking community and have long history of cooperation with each other.

Let me remind you that Check Point researchers noted that Emotet was the most active organization in 2019.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)
Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Recent Posts

Remove News-bpudepi.today pop-up ads (Virus Removal Guide)

News-bpudepi.today is a domain that tries to trick you into subscribing to its browser notifications…

20 hours ago

Remove Doguhtam.xyz pop-up ads (Virus Removal Guide)

Doguhtam.xyz is a site that tries to trick you into subscribing to its browser notifications…

20 hours ago

Remove News-xlixoti pop-up ads (Virus Removal Guide)

News-xlixoti.com is a site that tries to force you into subscribing to its browser notifications…

20 hours ago

Remove Ducesousightion pop-up ads (Virus Removal Guide)

Ducesousightion.com is a domain that tries to trick you into clik to its browser notifications…

20 hours ago

Remove News-xlabica.live pop-up ads (Virus Removal Guide)

News-xlabica.live is a domain that tries to trick you into clik to its browser notifications…

20 hours ago

Remove Mergechain.co.in pop-up ads (Virus Removal Guide)

Mergechain.co.in is a site that tries to trick you into subscribing to its browser notifications…

20 hours ago