Emotet Botnet Now Distributes QakBot Banker

Recently we wrote that the Emotet botnet, which had not shown “signs of life” since February 2020, has returned to work with a new spam campaign. Now it distributes information about QakBot banker.

Watching the newly revived malware, cybersecurity experts report that the botnet has changed its core load and is now spreading the QakBot banking trojan (QBot), which has replaced the regular botnet TrickBot.

Members of the group of independent researchers Cryptolaemus, who for several years closely monitored the activity of the botnet and tried to counter it, discovered the first changes.

“It is not yet clear what exactly QakBot is delivering to infected systems, but it is already known that this may lead to the fact that some users will become victims of ransomware, in particular, ProLock ransomware”, — write Cryptolemus researchers.

Experts write that TrickBot has completely disappeared, and the payload has been replaced by QakBot in all “epochs” of malware: Epoch 1, Epoch 2 and Epoch 3.

Let me remind you that this term is used by researchers to refer to individual clusters of botnet infrastructure, each of which has its own management servers, uses its own distribution methods and payloads.

BleepingComputer reporters write that security experts have already studied the new payload using Any.Run. Results of the analysis are available here, and the addresses of the command and control servers can be found here.

Additional analysis by Intel 471 experts showed that QBot uses the string “partner01” to identify this campaign.

According to experts, this indicates a close relationship between Emotet and the developers of this malware.

“Emotet Update – We are detecting QBot being dropped by Emotet infections on all epochs instead of Trickbot gtag Mor today. @Intel471Inc identified the campaign_id on this QBot as “partner01” which is interesting because in the past we have seen the hhh series”, — write Cryptolaemus representatives in Twitter.

However, Cryptolaemus analysts note that Emotet payloads have changed before, and most likely, the original Emotet-TrickBot tandem will also return to service soon. Researchers call TrickBot and QakBot the preferred partners for Emotet, since all three groups are part of the same Russian-speaking community and have long history of cooperation with each other.

Let me remind you that Check Point researchers noted that Emotet was the most active organization in 2019.