The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigations (FBI) published a Joint Cybersecurity Advisory (CSA) this week to provide guidance to critical infrastructure on specific indicators of compromise (IOCs) for QakBot-related activity. QakBot was originally used as a banking trojan to steal banking credentials. In most cases, QakBot was delivered via a phishing campaign with malicious attachments or links. OakBot has grown to deploy various types of malware, trojans, and ransomware that target multiple government services, including emergency services. This CSA provides several IOCs and mitigation strategies for ECCs to implement.
In accordance with this CSA, ECCs are encouraged to implement mitigation strategies, validate security controls, and report as prescribed. The FBI is seeking any information that can be shared, including boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with QakBot-affiliated actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.
This Joint Cybersecurity Advisory is available on the CISA website.