Cybereason researchers identified widespread Qakbot (QBot or Pinkslipbot) campaigns targeting U.S.-based companies. These recent campaigns are the work of the Black Basta ransomware gang.
The Black Basta gang has been dispersing malicious URL links or disk image files using spam or phishing emails since mid-November. These URLs or files distribute Qakbot to establish a first point of entry and maintain a presence on the networks of victims. During the compromise, Cobalt Strike is being used to remotely acquire domain administrator rights. Threat actors are aggressively using Qakbot as malware that provides access as a service, as evidenced by these most recent campaigns with modifications.
Such connections between significant threat actors also show that the assailants are actively working to hone their strategies and effectiveness.