The U.S. government today [29 August] announced a coordinated crackdown against QakBot, a complex malware family used by multiple cybercrime groups to lay the groundwork for ransomware infections. The international law enforcement operation involved seizing control over the botnet’s online infrastructure, and quietly removing the Qakbot malware from tens of thousands of infected Microsoft Windows computers. In an international operation announced today dubbed “Duck Hunt,” the U.S. Department of Justice (DOJ) and Federal Bureau of Investigation (FBI) said they obtained court orders to remove Qakbot from infected devices, and to seize servers used to control the botnet. “This is the most significant technological and financial operation ever led by the Department of Justice against a botnet,” said Martin Estrada, the U.S. attorney for the Southern District of California, at a press conference this morning in Los Angeles. Estrada said Qakbot has been implicated in 40 different ransomware attacks over the past 18 months, intrusions that collectively cost victims more than $58 million in losses.
Emerging in 2007 as a banking trojan, QakBot (a.k.a. Qbot and Pinkslipbot) has morphed into an advanced malware strain now used by multiple cybercriminal groups to prepare newly compromised networks for ransomware infestations. QakBot is most commonly delivered via email phishing lures disguised as something legitimate and time-sensitive, such as invoices or work orders.
Don Alway, assistant director in charge of the FBI’s Los Angeles field office, said federal investigators gained access to an online panel that allowed cybercrooks to monitor and control the actions of the botnet. From there, investigators obtained court-ordered approval to instruct all infected systems to uninstall Qakbot and to disconnect themselves from the botnet, Alway said. The DOJ says their access to the botnet’s control panel revealed that Qakbot had been used to infect more than 700,000 machines in the past year alone, including 200,000 systems in the United States. Working with law enforcement partners in France, Germany, Latvia, the Netherlands, Romania and the United Kingdom, the DOJ said it was able to seize more than 50 Internet servers tied to the malware network, and nearly $9 million in ill-gotten cryptocurrency from QakBot’s cybercriminal overlords. The DOJ declined to say whether any suspects were questioned or arrested in connection with Qakbot, citing an ongoing investigation.
According to recent figures from the managed security firm Reliaquest, QakBot is by far the most prevalent malware “loader” — malicious software used to secure access to a hacked network and help drop additional malware payloads. Reliaquest says QakBot infections accounted for nearly one-third of all loaders observed in the wild during the first six months of this year.
Researchers at AT&T Alien Labs say the crooks responsible for maintaining the QakBot botnet have rented their creation to various cybercrime groups over the years. More recently, however, QakBot has been closely associated with ransomware attacks from Black Basta, a prolific Russian-language criminal group that was thought to have spun off from the Conti ransomware gang in early 2022.
Today’s operation is not the first time the U.S. government has used court orders to remotely disinfect systems compromised with malware. In May 2023, the DOJ quietly removed malware from computers around the world infected by the “Snake” malware, an even older malware family that has been tied to Russian intelligence agencies. Documents published by the DOJ in support of today’s takedown state that beginning on Aug. 25, 2023, law enforcement gained access to the Qakbot botnet, redirected botnet traffic to and through servers controlled by law enforcement, and instructed Qakbot-infected computers to download a Qakbot Uninstall file that uninstalled Qakbot malware from the infected computer. “The Qakbot Uninstall file did not remediate other malware that was already installed on infected computers,” the government explained. “Instead, it was designed to prevent additional Qakbot malware from being installed on the infected computer by untethering the victim computer from the Qakbot botnet.”
The DOJ said it also recovered more than 6.5 million stolen passwords and other credentials, and that it has shared this information with two websites that let users check to see if their credentials were exposed: Have I Been Pwned, and a “Check Your Hack” website erected by the Dutch National Police.
Comment: This is a long quoted article from Brian Krebs, but it’s so chock full of information, I couldn’t cut it. The most salient point is that the FBI remotely accessed US citizens’ computers and installed code (an uninstaller) to remove those computers from the control of a botnet. All this was done without notifying the owners of those computers. It’s like a cyber hot pursuit doctrine except the FBI did get a search warrant before remotely accessing any victim computers.
The other aspect of this botnet takedown I find interesting is the breadth of governmental, non-governmental and international players involved. The FBI was apparently the lead USG agency, but from this and other articles linked below you can see that there were a number of private cybersecurity entities involved. I’m glad to see this. We often lamented how the Russians and especially the Chinese made extensive use of private hackers and hacker groups. Sure we used government contractors, but that was nothing like the scale of Chinese and Russians operations. The FBI’s National Cyber Forensics and Training Alliance in Pittsburgh was new and was pioneering the development of mutual trust and true cooperation between law enforcement and private industry. The international aspect has also broadened.
What’s not mentioned is any role Cyber Command and the IC may play in these operations. I suspect that role is kept quiet for a reason. The actions of international cyber criminals and government cyber operations often intersect and overlap. It is only natural that law enforcement, intelligence community and defense operations also intersect and overlap. Even back when I was involved, the cooperation among the FBI, NSA, the forerunners of Cyber Command and even the CIA was very strong. Naturally, cooperation with our General Counsel was even tighter so we stayed on the straight and narrow.
Leith, you asked for this. I hope this helps. The links below and the links in Krebs’ article to the search warrants used to take down this botnet are especially informative. For more info on the Conti gang, which may have operated in concert with the FSB and/or GRU, follow Brian Krebs’s link on the Conti ransomware gang.