QakBot malware reappears post law enforcement takedown.
Low-volume phishing campaign started targeting hospitality on Dec 11, 2023.
Attack involves a PDF from a fake IRS employee with a malicious URL.
URL downloads a digitally signed Windows Installer (.msi) leading to QakBot execution
QakBot payload configured with a new version, 0x500, not seen before.
Resurfaced QakBot is a 64-bit binary using AES for network encryption.
Sends POST requests to the path /teorema505.
QakBot traditionally distributed via spam emails, capable of data harvesting.
Similar to Emotet, QakBot's return emphasizes the resilience of such threats.
Organizations urged to be cautious against spam emails associated with QakBot.