Man covering mouth in fear showing malware botnet Qakbot return

Qakbot Malware Botnet Operators Continue Spam Campaigns Despite Infrastructure Seizure by International Law Enforcement

The long-running Qakbot malware botnet was disrupted by international law enforcement action in August, but its operators appear to still have some capability and are continuing to run spam email campaigns that attempt to pass ransomware.

Security analysts now believe that while the malware botnet’s command-and-control servers were seized by law enforcement, the spam delivery infrastructure remains intact and the operators are forging ahead with a Ransom Knight ransomware campaign that was initiated just before the seizure. This further implies that they will attempt to rebuild the Qakbot infrastructure by racking up a new collection of compromised devices, making it even more crucial to identify and arrest the group’s core members.

Malware botnet takes heavy blow, but threat remains

There is no disputing that the Qakbot malware botnet was crippled in August, but news of its death may have been premature. The current campaign, which involves implanting the Ransom Knight ransomware with Remcos backdoors via phishing emails, was first spotted in early August before the law enforcement action got underway and has continued to present. The operators thus must still have some infrastructure for sending out emails and accessing the malware at minimum.

At its peak the malware botnet comprised at least 700,000 compromised devices around the world, and was one of the oldest and longest-running (having been in operation since 2007). While core infrastructure was seized during the course of the August operation, the owners and operators were not identified or arrested. This naturally raised concerns that they would start over with a new malware botnet, simply compromising new devices to build it.

The group has been identified by the continued use of malicious LNK files that are named and formatted in the same manner as those previously associated with Qakbot. This includes a collection of a dozen file names made to appear as if they are part of some urgent financial matter, like invoicing or a bank transfer request. About half of these are in Italian, suggesting some sort of special regional focus for the malware botnet as of late. The LNK files are packed in a ZIP that also includes the Remcos backdoor disguised as a legitimate Excel XLL add-on file.

It does appear that the “malware” part of the malware botnet has been seriously disrupted, however. The attackers are not using malware previously associated with Qakbot, but instead appear to have become clients of the Cyclops ransomware-as-a-service group. The group has also been spotted using RedLine malware very recently.

QBot/PinkSlipBot trojan likely still available in the wild

Though the malware botnet has been hobbled, security experts believe that the loaders for it (Qbot and PinkSlipBot) are still floating around and that at least some of the ransomware infrastructure could still be intact. The international law enforcement action seized 52 servers in total (along with about $8.6 million in cryptocurrency that is in process of being returned to victims), and at the time the FBI stated that it believed the malware botnet was permanently dismantled.

Security experts have been expressing skepticism ever since that announcement, primarily due to the fact that the main operators were not identified and caught. The general expectation is that the existing malware will be altered for a new campaign, possibly a rebranding given that the FBI is now routing old Qakbot traffic to a controlled server that offers an uninstall program.

Malware botnet takedowns are not always permanent. There are two recent examples that also likely informed the perspective of the cybersecurity community. One is Emotet; the Ukraine-based botnet ran from 2014 to 2021 and was taken down late that year by German and Ukrainian authorities, but by November 2022 was back to its normal volume of attacks and had actually added new capabilities. A similar story unfolded with Trickbot, when Microsoft obtained a court order to sever its IP addresses in 2020. The botnet roared back in 2021 as a favored tool of the Conti ransomware group, requiring another law enforcement takedown effort in 2022.

Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, notes that the only sure defense against malware botnets is for people to not bite on phishing emails in the first place: “This goes to show that completely shutting down any cybersecurity threat enterprise is a particularly difficult thing to do. It’s difficult to do because the offenders can keep doing whatever they want without almost any risk of having to pay for their illegality. Imagine being a bankrobber for a living and how good you would get if you could never get arrested and put in jail. Being a cybersecurity threat actor is almost all upside, until we get a global digital Geneva-like Convention where the world agrees on what is and isn’t illegal in the digital realm. As long as attackers can hide across international boundaries without fear of personal repercussions, cyber threats will continue unabated in a game of global whack-a-mole. The defense against Qakbot is clear. Teach everyone how to recognize and mitigate phishing emails. If everyone learned not to be tricked by phishing emails, Qakbot and all its ilk would be put down immediately.”

First emerging as a trojan focused on penetrating banks in 2008, Qakbot grew to become one of the most versatile malware botnets and a favorite tool of numerous ransomware gangs. The botnet had such long-running success thanks in no small part to its flexible modular design, and constant updating from its operators to attempt to stay a step ahead of security scans. The attacks always open with an email containing either a link to an attack site or a malicious attachment, a technique that gradually compromised servers in over 30 countries and raked in some $57 million in payments from 2021 to 2023 alone.