FBI-Led Global Effort Takes Down Massive Qakbot Botnet

Botnet text on a red background of binary values.
Image: Whatawin/Adobe Stock

A multinational action called Operation “Duck Hunt” — led by the FBI, the Department of Justice, the National Cybersecurity Alliance, Europol, and crime officials in France, Germany, the Netherlands, Romania, Latvia and the U.K. — was able to gain access to the Qakbot network and shut down the malicious botnet, which has affected 700,000 computers worldwide.

Jump to:

Qakbot nets nearly $58 million in ransom in just 18 months

Over the course of its more than 15-year campaign, Qakbot (aka Qbot and Pinkslipbot) has launched some 40 worldwide ransomware attacks focused on companies, governments and healthcare operations, affecting some 700,000 computers. Qakbot, like almost all ransomware attacks, hit victims through spam emails with malicious links, according to the Justice Department. The DOJ noted that over just the past year and a half, Qakbot has caused nearly $58 million in damages. As part of the action against Qakbot, the DOJ seized approximately $8.6 million in cryptocurrency in illicit profits (here’s the department’s seizure warrant).

According to the DOJ, the action represented the largest U.S.-led financial and technical disruption of a botnet infrastructure leveraged by cybercriminals to commit ransomware, financial fraud and other cyber-enabled criminal activities.

“Cybercriminals who rely on malware like Qakbot to steal private data from innocent victims have been reminded today that they do not operate outside the bounds of the law,” said Attorney General Merrick B. Garland in a statement.

SEE: LockBit, Cl0P expand ransomware efforts (TechRepublic)

FBI Director Christopher Wray said on the FBI’s website that the victims ranged from financial institutions on the East Coast to a critical infrastructure government contractor in the Midwest to a medical device manufacturer on the West Coast.

FBI injects computers with uninstaller file to dislodge Qakbot

The FBI said that, as part of the operation, it gained access to Qakbot’s infrastructure and identified hundreds of thousands of infected computers worldwide, including more than 200,000 in the U.S. As part of the action, the Bureau redirected Qakbot traffic to its own servers, which instructed infected computers to download an uninstaller file. The uninstaller was able to unshackle infected computers from the botnet and halt any other malware from being installed on affected computers.

Richard Suls, security and risk management consultant at cybersecurity firm WithSecure, said the approach taken by the FBI, which was taking over Qakbot control servers and using software created by law enforcement to wipe Qakbot from the infected computers, was a novel approach.

“This has not been documented previously, and it’s a great step in the right direction,” he said. “Typically, when a botnet is taken down, the Command and Control servers are taken offline and sinkholed, which means traffic is redirected to ‘the good guys’ for analysis, intelligence gathering and to help victims.” He said a good example of this approach was the sinkholing of the Conficker worm.

The DOJ said it received technical assistance from Zscaler and that the FBI partnered with the Cybersecurity and Infrastructure Security Agency, Shadowserver, Microsoft Digital Crimes Unit, the National Cyber-Forensics and Training Alliance, and Have I Been Pwned to aid in victim notification and remediation.

Qakbot linked to cybercrime group Batbug

The Qakbot botnet is operated by a cybercrime group that Symantec calls Batbug, which the software company said controls a lucrative malware distribution network linked to a number of major ransomware groups. According to the DOJ, these ransomware groups include Conti, ProLock, Egregor, REvil, MegaCortex and Black Basta.

SEE: Anonymous Sudan attacks European investment infrastructure (TechRepublic)

“This takedown is likely to disrupt Batbug’s operations, and it is possible that the group may struggle to rebuild its infrastructure in its aftermath,” said Symantec’s threat hunter team in a blog. The authors pointed out that Qakbot emerged initially as a Trojan aimed at financial institutions and became known for its functionality and adaptability.

“For example, once it infected one machine in an organization, it was able to spread laterally across networks utilizing a worm-like functionality through brute-forcing network shares and Active Directory user group accounts, or via server message block (SMB) exploitation,” the Symantec team wrote.

Surge in activity starting in January 2023 linked to OneNote

The Symantec researchers noted a surge in Qakbot activity from the beginning of 2023 through June, a period during which the botnet began using attachments on Microsoft OneNote to drop Qakbot on infected machines. OneNote, the Symantec authors pointed out, is a default installation on Microsoft Office/365. “Even if a Windows user does not typically use the application, it is still available to open the file format,” they wrote.

The authors of the Symantec blog also said the Qakbot-infected emails contained an embedded URL that led to a ZIP archive that contained the malicious OneNote file. When victims clicked on the file, they would inadvertently execute an HTML application file, causing the download on the victim’s computer of a Qakbot DLL as a .png file. Symantec’s researchers added that this kill chain disappeared, and attackers went with PDF documents leading to URLs with malicious ZIP archives containing JavaScript downloaders.

Paul Brucciani, an advisor at WithSecure, said the action appears to reflect the FBI’s U.S. National Cybersecurity Strategy, announced in March 2023, specifically around sharing threat intelligence between governments and the private sector; using military, cyber, diplomatic and other capabilities against threat actors; and deterring attacks by making it more costly to attack systems than to defend them.

Qakbot: Gone but not for long?

Will Qakbot reappear after some retooling to sidestep new defenses? Suls of WithSecure said it could happen. “The creators of these botnets are often highly skilled (sometimes nation states and/or APTs) and to that effect, we have seen botnets return from the grave, often with modifications,” he said, pointing to Kelihos, which was sinkholed In September 2011 and returned in January 2012 as a new version.

“One way we’ve seen botnets reconfigured and resurrected is when their source code is leaked,” said Suls. “For instance, the Zbot malware, whose source code hit the internet, allowing multiple actors the ability to view, update and use the base code for their own botnets. There is no doubt in my mind that botnet code is available for purchase in the darker corners of the internet.”

Jess Parnell, vice president of security operations at threat intelligence firm Centripetal, said the success of Qakbot proves the weakest link is the least sophisticated.

“Some might think that a simple spam email or SMS message is harmless, but as we are constantly seeing, organizations all over the globe are getting hit daily by major cyberattacks that are oftentimes disguised as something else,” he said. “By staying informed, proactive and collaborative, organizations can significantly reduce their risk of falling victim to cyberattacks.”

Similar Posts