Qakbot forced offline, but history suggests it probably won’t be forever
The Federal Bureau of Investigation (FBI) has announced the successful takedown of the Qakbot botnet, an international malware operation that had run for over a decade.
Through a joint international effort known as Operation Duck Hunt, law enforcement agencies severely disrupted the Qakbot operations and recovered thousands of affected devices by wiping Qakbot malware.
Law enforcement gained access to Qakbot’s infrastructure via lawful means and set about identifying the scale of the malware operation. The FBI found evidence of at least 700,000 affected devices total, with 200,000 of these based within the US.
In order to execute Operation Duck Hunt, the FBI collaborated with international partners in the UK, France, Germany, Latvia, the Netherlands, and Romania.
In the UK, the National Crime Agency (NCA) temporarily shut down Qakbot’s servers, and further activity on the part of international law enforcement agencies ensured that Qakbot contributors could not access servers while the FBI was taking control of the threat group’s infrastructure.
Law enforcement also partnered with a number of organisations to notify Qakbot victims and begin the remediation process, including Zscaler, Microsoft Digital Crimes Unit, Shadowserver, and credential theft-checking website Have I Been Pwned.
“The FBI led a worldwide joint, sequenced operation that crippled one of the longest-running cyber criminal botnets,” said Christopher Wray, director at the FBI.
“With our federal and international partners, we will continue to systematically target every part of cyber criminal organisations, their facilitators, and their money – including by disrupting and dismantling their ability to use illicit infrastructure to attack us.
“Today’s success is yet another demonstration of how FBI’s capabilities and strategy are hitting cyber criminals hard, and making the American people safer.”
The permanence of the latest disruption to Qakbot remains to be established. Looking at similar cases from recent years would suggest that there is a good chance Qakbot may return to some degree later down the line.
A joint operation to take down Trickbot took place in 2020 but the botnet returned less than a year later with a new strain that could establish greater persistence.
Similarly, Emotet is arguably the most well-known botnet of the modern era and attempts to dismantle it also proved to be merely temporary.
The efforts to bring down Emotet were led by Europol in 2020 and 2021 but even when the takedown was announced, experts at the time were skeptical about whether the botnet was shuttered for good.
Again, less than a year after the takedown, the botnet returned and its infrastructure spread rapidly.
Over the course of the following year, and after a four-month break, Emotet re-established itself as one of the most pervasive malware strains in the cyber security landscape, attacking hundreds of thousands of users every day.
What is Qakbot and how has it been taken offline?
Qakbot, also known as Pinkslipbot, has been a particular thorn in the side of security teams for many years. Believed to have origins in Russia with the operators Gold Lagoon, the malware began as a Trojan operation and was first detected in the late 2000s affecting banking systems.
In the years since, the malware has evolved and become a dynamic threat to enterprises, becoming known for its lateral attack capabilities and for always reemerging. Ransomware operators such as REvil and LockBit have used Qakbot to spread their respective strains.
The main infection vector for Qakbot is email phishing, which is still the most common way for attacks to start out, after which point it can deploy a range of malicious programs.
“Qakbot is especially tricky: It is a multipurpose malware, akin to a Swiss army knife,” wrote Check Point Software in 2020.
“It allows cyber criminals to directly steal data – credentials to financial accounts, payment cards, etc. – from PCs, while also serving as an initial access platform to infect victims’ networks with additional malware and ransomware.”
In 2021, SOS Intelligence found that infected Microsoft Exchange Servers were distributing Qakbot as a loader for ransomware payloads.
Botnets are automated networks used to automate tasks or the distribution of software. They are widely by threat actors for malicious activity, in the form of vast networks made up of infected devices that spread malware to further devices. Victims often do not know that they have even been compromised.
Through Operation Duck Hunt, the FBI gained access to Qakbot infrastructure and rerouted traffic to specialized FBI servers.
This effectively replaced the command and control (C2) servers within the botnet, used to send malicious instructions to all other instances of Qakbot, and prevented threat actors from regaining C2 control.
The FBI then distributed a custom payload via these seized instances to infected devices across the international botnet, which contained the code for a tool used to permanently delete Qakbot malware.
In addition to uninstalling Qakbot from affected devices, the tool also acted as a final instruction from the C2 and subsequently disconnected devices from the botnet altogether. It is hoped that this will set Qakbot operatives back to square one.
A similar tool named Perseus was recently used by the NSA, FBI, and CISA to take down the Russian-linked Snake malware operation.
Disassembling botnets can take months or even years, as their scale and complexity necessitate the cooperation of dozens of international agencies. If the FBI had been unable to rely on UK and European partners to shut down regional Qakbot instances, Operation Duck Hunt may have failed entirely.
Unlike some ethical hackers, law enforcement agencies cannot gain illegal access to a victim’s device – they require specific warrants.
The US Department of Justice (DoJ) stated that $8.6 million in illegitimate profits had been seized through the campaign, of a total $58 million paid by victims since October 2021.
Ⓒ Future Publishing