QakBot, a notorious banking trojan that has been around for more than a decade, has recently resurfaced with a new wave of phishing campaigns that target the hospitality industry. The malware is capable of stealing sensitive information, such as banking credentials, passwords, and personal data, from infected devices. It can also deliver additional malware, such as ransomware, to further compromise the security of the victims. This article will explore the return of QakBot malware, its new tactics in phishing campaigns, and the impact on cybersecurity governance.
The Return of QakBot Malware
What is QakBot?
QakBot, also known as Qbot or Pinkslipbot, is a sophisticated banking trojan that was first discovered in 2009. It is designed to steal financial information, such as online banking credentials, credit card numbers, and transaction details, from infected computers. It can also collect other types of information, such as email addresses, passwords, browser history, and cookies. QakBot uses a modular architecture that allows it to update itself and download new features. It can also spread to other devices on the same network by exploiting vulnerabilities or using stolen credentials.
Previous Disruptions
QakBot has been involved in several high-profile cyberattacks over the years. In 2017, it was linked to a massive campaign that infected over 500,000 devices and caused millions of dollars in losses. In 2020, it was used to deliver ProLock and Egregor ransomware to several organizations, including the City of Florence in Alabama and the Kmart retail chain. In 2021, it was observed to be working with Emotet, another notorious banking trojan, to launch coordinated attacks on multiple sectors.
New Tactics in Phishing Campaigns
Targeting the Hospitality Industry
In 2023, QakBot has returned with a new series of phishing campaigns that target the hospitality industry, such as hotels, resorts, and restaurants. The attackers use spoofed emails that appear to be from legitimate sources, such as booking platforms, travel agencies, or customers. The emails contain malicious attachments or links that claim to be invoices, receipts, reservations, or confirmations. Once the user opens the attachment or clicks on the link, QakBot is downloaded and executed on the device.
Capability to Harvest Sensitive Information
QakBot is able to harvest sensitive information from infected devices by using various techniques, such as keylogging, screen capturing, web injection, and form grabbing. It can also monitor the clipboard and steal data that is copied or pasted. The stolen information is then encrypted and sent to the attackers’ command and control servers. The attackers can use the information to conduct fraudulent transactions, identity theft, or blackmail.
Delivery of Additional Malware
QakBot can also deliver additional malware to the infected devices by using its modular architecture and network propagation capabilities. It can download and execute other malicious payloads, such as ransomware, spyware, or rootkits, that can further damage the security and functionality of the devices. For example, QakBot can deliver ransomware that encrypts the files and demands a ransom for their decryption. It can also deliver spyware that monitors the activities and communications of the users. It can also deliver rootkits that hide the presence and activities of the malware.
The Impact on Cybersecurity Governance
The resurgence of QakBot malware poses a serious threat to the cybersecurity governance of the hospitality industry. The industry needs to take proactive measures to prevent, detect, and respond to the attacks, as well as comply with the relevant regulations and standards.
Understanding Disclosure Requirements
The hospitality industry needs to understand the disclosure requirements that apply to them in case of a data breach or a cyberattack. Depending on the jurisdiction, the industry may need to notify the affected customers, the regulators, the law enforcement, or the public about the incident. The industry also needs to follow the guidelines and procedures for reporting the incident, such as the format, the content, the timing, and the frequency of the notifications.
Immediate Reporting Obligations
The hospitality industry needs to fulfill their immediate reporting obligations in case of a data breach or a cyberattack. The industry needs to report the incident to the relevant authorities as soon as possible, without undue delay. The industry also needs to provide the necessary information and evidence to support the investigation and the mitigation of the incident, such as the scope, the impact, the cause, and the response to the incident.
Enhanced Annual Reporting
The hospitality industry needs to enhance their annual reporting on their cybersecurity practices and performance. The industry needs to disclose their cybersecurity policies, procedures, and controls, as well as their cybersecurity risks, incidents, and outcomes. The industry also needs to demonstrate their compliance with the applicable regulations and standards, such as the General Data Protection Regulation (GDPR), the Payment Card Industry Data Security Standard (PCI DSS), or the ISO 27001.
Enforcement and Compliance
The hospitality industry needs to be prepared for the enforcement and compliance actions that may result from a data breach or a cyberattack. The industry may face legal actions, fines, penalties, sanctions, or lawsuits from customers, regulators, law enforcement, or the public. The industry also needs to implement corrective actions, remediation measures, and improvement plans to address the issues and prevent the recurrence of the incident.
