Qakbot, the criminal world’s ‘botnet of choice,’ was brought down by a multinational law enforcement operation that also uninstalled the malware from 700,000 computers.
In a August 29 announcementThe US Department of Justice said the operation, led by the FBI, seized and disabled the infrastructure that powered the botnet.
Authorities took possession of $8.6 million in cryptocurrency, which is only a small portion of the total amount extorted from ransomware victims over several years by the gang behind Qakbot.
“Investigators found evidence that, between October 2021 and April 2023, Qakbot administrators received fees equal to approximately $58 million in ransoms paid by victims,” the Justice Department said.
The operation, dubbed “Duck Hunt,” involved law enforcement from France, Germany, the Netherlands, the United Kingdom, Romania and Latvia, as well as the United States.
Qakbot was “one of the most notorious botnets of all time, responsible for massive losses to victims around the world,” said Martin Estrada, U.S. attorney for the Central District of California, where the cryptocurrency seizure warrant has been dropped.
“Qakbot was the botnet of choice for some of the most infamous ransomware gangs, but we have now taken it down,” Estrada said.
In a Research article from August 25ReliaQuest said that QakBot (also known as “QBot”, “QuackBot” and “Pinkslipbot”) was the most viewed malware loader, accounting for 30% of all loaders observed in the first seven months of this year. year.
Checkpoint also described Qakbot as the most widespread malware in the world and declared it impacted 11% of corporate networks worldwide in the first half of 2023.
“Qakbot is particularly delicate: it is a versatile malware, similar to a Swiss army knife. It allows cybercriminals to directly steal data (financial account credentials, payment cards, etc.) from PCs, while also serving as an initial access platform to infect victims’ networks with malware and malware. additional ransomware,” Checkpoint said.
The malware was used as a primary means of infection by a large number of ransomware groups such as Conti, REvil and Black Bast, among others, and demanded ransom payments in Bitcoin.
In a report announcing the withdrawalThe FBI said Qakbot had caused hundreds of millions of dollars in losses since its creation in 2008.
“This botnet provided cybercriminals like these with a command and control infrastructure consisting of hundreds of thousands of computers used to carry out attacks against individuals and businesses around the world,” said FBI Director, Christopher Wray.
“Victims ranged from financial institutions on the East Coast to a critical infrastructure government contractor in the Midwest to a medical device manufacturer on the West Coast.”
700,000 computers without connection
By accessing Qakbot’s infrastructure during the operation, the FBI was able to identify more than 700,000 computers worldwide, including more than 200,000 in the United States, infected with the malware.
“To disrupt the botnet, the FBI was able to redirect traffic from the Qakbot botnet to and through servers controlled by the FBI, which in turn instructed infected computers in the United States and elsewhere to download a file created by law enforcement that would uninstall the Qakbot malware,” the Department of Defense said. Justice.
The uninstaller was able to “detach” infected computers from the Qakbot botnet.
Secureworks said in a blog post he has long maintained visibility into Qakbot’s backend infrastructure. Researchers from its Threat Unit (CTU) observed the August 25 takedown operation, during which the botnet distributed shellcode to infected devices.
“The shellcode unpacks a custom DLL (dynamic link library) executable that contains code that can cleanly terminate the Qakbot process running on the host,” Secureworks said.
“The DLL uses a clever method of sending a QPCMD_BOT_SHUTDOWN instruction through a named pipe that Qakbot uses to send and receive messages between processes on the host.”
Is this the end for Qakbot?
The efforts of the multinational teams and their success in so emphatically eliminating such a major player from the cybercriminal ecosystem have been praised by researchers. But some warned that the demise of such a large botnet would leave a void and opportunity for the group behind QakBot (known as Batbug or Golden Lagoon) to rebuild.
“Batbug has long been one of the largest players in the cybercrime landscape, controlling a lucrative malware distribution network linked to several major ransomware gangs,” Symantec’s Threat Hunter team said in a statement. blog post.
“This dismantling is likely to disrupt Batbug’s operations and it is possible that the group will have difficulty rebuilding its infrastructure afterwards.”
Secureworks said it observed the group’s infrastructure becoming unresponsive following the takedown operation.
“These robust efforts should reduce the number of infected hosts and hinder GOLD LAGOON’s attempts to regain control of the botnet.”
Kimberly Goody, Mandiant’s senior director of financial analytics, said Qakbot has a history of adaptation and evolution.
“Any impact on these operations is welcome as it can cause fractures within the ecosystem and lead to disruptions that push players to forge further partnerships, even if only temporary.”
Another Mandiant executive, Sandra Joyce, vice president of Mandiant Intelligence – Google Cloud, said ransomware is a major security challenge that needs to be taken seriously.
“The foundations of this economic model are solid and this problem is not going away any time soon. Most of the tools we have will not have lasting effects. These groups will recover and come back.
Watch FBI Director Christopher Wray’s announcement of the operation below: