The infrastructure for a malware botnet that has been a plague since 2007 has been dismantled by an FBI-led law enforcement action.
Starting out as a relatively simple banking trojan, Qakbot evolved over the years into a multipurpose and customizable system particularly popular with ransomware operators. The malware botnet was composed of over 700,000 infected computers at the time it was taken down, and is responsible for hundreds of millions of dollars in damages worldwide during its run.
Malware botnet hid on computers without user knowledge
Qakbot (also sometimes called QBot or Pinkslipbot) has a variety of delivery methods, but was primarily spread via emails with malicious links or attachments. The computers that made up the botnet, some 200,000 of which were in the US, were usually infected and operating for long periods of time without the owner ever being aware of it.
By early 2022, Qakbot had settled into a groove of compromising Windows systems by attaching malicious Office macros to emails. The malware botnet took a blow that year when Microsoft started blocking VBA and XL4 macros by default in Office, causing at least two months of very little recorded activity, but it quickly rebounded to surge again by shifting to an “HTML smuggling” approach that could remotely fetch Windows shortcut and container files among other exploit methods. The operators also started abusing OneNote files when Microsoft clamped down on macros.
The FBI has taken control of the malware botnet’s command-and-control infrastructure, which now provides infected computers with a cleaning when they attempt to automatically connect to the Qakbot servers (which the malware does once every one to four minutes). A notification is provided along with an uninstaller that will clear the computer of its presence. However, it is important to note that the level of access Qakbot granted to infected computers made it relatively easy to install additional malware and that the uninstaller will not necessarily address those added elements. Qakbot also has the ability to extract files and communications from victim computers.
The Department of Justice (DOJ) said that the Qakbot infrastructure seizure also included over $8.6 million in cryptocurrency, which will be distributed to the victims it was taken from. This will not make all of the victims whole, as the malware botnet has taken in about $58 million in ransom payments in just the past 18 months. But some recent victims might be able to claw back some or all of the payments they made.
In total the operation captured 52 servers and is expected to put a permanent end to the malware botnet. However, there are still some loose ends to tie up. The operators remain at large, and the DOJ is offering a $10 million reward for information that identifies them. The FBI also found about 6.5 million login credentials among the group’s resources, though it’s not clear where they are from or if they have been further distributed. The credentials have since been added to Have I Been Pwned.
The operation included actions by Europol and law enforcement agencies in France, Germany, the UK, the Netherlands, Latvia and Romania.
“Operation Duck Hunt” eliminates a favorite ransomware tool
Qakbot has been a go-to malware botnet for many major ransomware groups in recent years, and its disappearance will likely at least throw a wrench into some of these operations. Some security researchers have found it was among the most active malware families in the first half of 2023 with dozens of campaigns making use of it seen per quarter.
Malware botnets are primarily used by ransomware groups as a means to get around automated spam filters when sending out malicious emails, allowing them to send from many different sources until one gets through to a target inbox. They can also be used as a means to repeatedly guess at passwords, circumventing login attempt restrictions on particular IP addresses in a similar way. They generally embed themselves in a legitimate process to hide from virus scanners, and use only a very small portion of the compromised device’s memory at a time so as not to stand out to more careful scrutiny.
US law enforcement is increasingly taking a more direct hand with the neutralization and cleanup of malware botnets. The Qakbot takedown joins the list of a few cases in which the FBI obtained court approval to automatically intercept the communications of compromised devices and clear the malware from them without the owner necessarily being aware of what has happened. This was also done with the takedown of Emotet in early 2021, as well as the Russian Snake malware earlier this year and the automatic patching of Microsoft Exchange servers to cut off ProxyLogon attacks.
Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, notes that these operations are a phenomenon that was not as viable to coordinate until recently: “I applaud the FBI and its partners across the globe. Wonderful news! These sorts of takedowns used to be fairly rare, but are becoming more common over time. It’s no small feat to coordinate an international takedown. It takes lots of technical and legal talent.”
“It was great to hear that the FBI had taken over at least one of the criminal servers and used it to redirect exploited nodes to a safer server where the FBI tried to automatically uninstall Qakbot on impacted computers. This sort of proactive cleaning up used to be rare and often contested, even by many cybersecurity experts. If not done correctly, the removal could go badly wrong. There have been many instances, before the FBI got involved, where well-meaning people trying to do proactive clean-up made the situation worse. But the FBI and its technical partners appear to be doing the clean-up right, with minimal legitimate operational impact. I’m glad the FBI and its partners have decided proactive cleanup was worth the risk. It improves not only the exploited people and organizations who have Qakbot installed, but the next innocent victims,” added Grimes.
But Max Gannon, Senior Cyber Threat Intelligence Analyst for Cofense, takes a more pessimistic view of the ultimate outcome of this operation: “This was a major step for the FBI and Justice Department to take and I certainly think it will have a significant impact on the threat actors behind QakBot. While this action was able to protect a huge number of victims that were already infected, it was not paired with arrests which are what most often leads to threat actors ceasing or at least temporarily halting operations. Because it was not paired with arrests I do not believe this will be the end of QakBot or at the very least it won’t be the end of the threat actors behind QakBot. Because of the huge blow to the botnet’s infrastructure, I expect that the threat actors will either take a very long time to return or they will pivot to other existing botnet projects.”