Unkillable? Qakbot Infections Fly On Even After Its High-Profile Raid

The Qakbot (aka Qbot) first-stage malware operation is still kicking, even after the "Operation Duck Hunt" raid by law enforcement eviscerated its infrastructure a few weeks ago. It was recently seen distributing the Ransom Knight ransomware and the Remcos backdoor remote access Trojan (RAT) via phishing emails.

Evidently, a massive takedown of Qakbot's botnet infrastructure in August, involving law enforcement from seven different countries, wasn't enough to even temporarily kill the notorious initial access broker (IAB). According to a new report from Cisco Talos, a ransomware campaign that began before the raid is still ongoing, yet again proving how difficult it is to take out a major threat actor.

"A lot of people thought that it would not take a lot of time before Qakbot was back, and we've shown that," says Guilherme Venere, threat researcher for Cisco Talos. "They were never really inactive. They were still running campaigns at the same time that the requisite infrastructure was taken down."

Qakbot Still at It Post-Takedown

On Aug. 29, law enforcement authorities from the US (the FBI), UK, France, Germany, Romania, Latvia, and the Netherlands teamed up against the operators behind Qakbot, "cutting it off at the knees." Specifically, authorities identified and accessed 700,000 infected computers, redirecting them to FBI-controlled servers, where they automatically downloaded Qakbot uninstallers. Additionally, authorities seized $8.6 million of Qakbot's illicitly obtained funds.

But in the face of all that, a Qakbot campaign that began earlier in August kept chugging along.

In fact, the group has been distributing phishing emails in English, Italian, and German, containing .ZIP archives with two primary components.

First, there are shell link (.LNK) files masquerading as financial documents. For example, "Pay-Invoices-29-August.pdf.lnk" and "bank transfer request.lnk." These files download an executable from a remote IP address, containing the Ransom Knight ransomware. Ransom Knight is a newer version of the ransomware-as-a-service malware "Cyclops," updated back in May.

Besides the ransomware, the .ZIPs also contain Excel Add-In (XLL) files hiding the Remcos backdoor, enabling persistent access to targeted machines even after the deployment of ransomware.

It's unclear yet how many organizations have been targeted in this campaign, and whether any have suffered damages as a result.

Can Law Enforcement Ever Eliminate Threat Actors?

In recent years, US and international law enforcement has stepped up efforts to curb major cybercrime outfits, whether by taking down infrastructure, seizing crypto, fully arresting group members IRL, or any combination therein. The long-term results are mixed.

In certain cases, police have done serious, irreversible harm to these groups. For instance, where once it sat atop the world of ransomware, Hive is now a memory of the past, thanks to the FBI and Department of Justice.

But seemingly in more cases, authorities have had limited success. The Emotet botnet survived a coordinated takedown effort, as did the Trickbot botnet. Even the Conti group recouped after being shut down by authorities, at least to some degree.

"It's difficult to take them down unless you arrest the original actors behind the group," Venere says. "In this case, there was no arrest made of anyone behind the Qakbot infrastructure. So they are still there. They still have access to the source code for the malware. They can still develop new variants, and they have the infrastructure to distribute it."

All of the law enforcement effort isn't necessarily a waste, though. "The FBI had a huge impact on the group's infrastructure, and their financial structure, and now they have to rebuild it. Sometimes, this kind of thing makes it not worth the time to rebuild infrastructure," he says.

"So it might have an impact in the end," he concludes, "because it will make it so expensive for them to rebuild this stuff."