Sprawling Qakbot Malware Takedown Spans 700,000 Infected Machines

"Operation Duck Hunt" is not likely to eliminate the initial access botnet forever, but the proactive removal of the malware from victim machines by law enforcement is one of the largest and most significant efforts of its kind.

A closeup photo of an angry mallard duckSource: Daniel Ladd via Alamy Stock Photo

The infrastructure behind the infamous Qakbot malware, a favorite tool of cybercriminals far and wide, has been taken down by the Feds in an operation code-named "Duck Hunt."

Official remediators also proactively connected to compromised computers to neutralize Qakbot infections on tens of thousands of victim machines, according to the US Department of Justice (DoJ), which said that they did so with "lawful access."

Qakbot (aka Qbot) is typically used as a first-stage implant, infecting computers after an unwitting target opens a malicious attachment in an email. Once it compromises a machine, it enslaves it to a botnet infrastructure, and then lays in wait for further instructions. The resulting persistent network of infections can then deliver, as needed, additional malware on demand.

Thus, after emerging in 2007 as a banking Trojan it has evolved to become part of the initial access broker market on the Dark Web, with its operators renting access to their lattice of compromised machines to any paying cybercriminal. Qakbot has been a key enabler for a plethora of different campaigns by various threat actors, delivering payloads ranging from ransomware to cryptominers to spyware.

Proactive State Elimination of Qakbot Infections

The DoJ and the FBI announced Tuesday that in a joint action with France, Germany, the Netherlands, Romania, Latvia, and the United Kingdom, global law enforcement identified and accessed more than 700,000 Qakbot-infected computers worldwide — including more than 200,000 in the US. Qakbot infections tend to affect home users and business users equally, according to recent Secureworks research.

"To disrupt the botnet, the FBI redirected Qakbot traffic to Bureau-controlled servers that instructed infected computers to download an uninstaller file," according to the DoJ's Qakbot takedown announcement released Tuesday. "This uninstaller — created to remove the Qakbot malware — untethered infected computers from the botnet and prevented the installation of any additional malware."

Previous disruptions have also taken a proactive tack when it comes to endpoint cleanup, though the practice can be controversial. For instance, in May, the FBI used a custom tool called Perseus as part of what it dubbed "Operation Medusa," aimed at disabling the Snake malware on compromised computers; Snake was a signature malware used by the Russia-sponsored Turla advanced persistent threat (APT).

Perseus issued commands that caused the Snake malware to overwrite its own vital components, and was executed on machines without users' active consent thanks to a search warrant issued by a US magistrate judge authorizing the remote access.

Roger Grimes, data-driven defense evangelist at KnowBe4, noted that the decision to redirect exploited nodes to a safer server in order to do proactive cleanup was a risk with a positive payoff.

"This sort of proactive cleaning up used to be rare and often contested, even by many cybersecurity experts," he said in an emailed statement. "If not done correctly, the removal could go badly wrong. I'm glad the FBI and its partners have decided proactive cleanup was worth the risk. It improves not only the exploited people and organizations who have Qakbot installed, but the next innocent victims."

For its part, the DoJ is calling the effort "one of the largest US-led disruptions of a botnet infrastructure" ever carried out.

"The FBI neutralized this far-reaching criminal supply chain, cutting it off at the knees," said FBI Director Christopher Wray. "The victims ranged from financial institutions on the East Coast to a critical infrastructure government contractor in the Midwest to a medical device manufacturer on the West Coast."

Qakbot's Down but Not Likely Out

While a win is a win, prior takedowns of Qakbot's spiritual brethren Trickbot and Emotet have demonstrated that the impact of such disruptions to the cyber underground may not be that significant in the long term, according to Chester Wisniewski, field CTO of applied research at Sophos.

"Disrupting the Qakbot botnet…will impose significant inconvenience on the botnet's operators and dependent criminal groups," he noted via email. "Sadly this will not stop Qakbot's masters from reconstituting it and continuing to profit from our security failures. Any time we can raise the cost for criminals to operate their schemes we must take advantage of those opportunities, but this doesn't mean we can rest on our laurels[.] We must continue to work to identify those responsible and hold them accountable to truly disable their operations."

Mandiant researchers agreed but noted that the harrying of any part of the increasingly professional landscape of cybercrime partnerships amounts to an ethical responsibility, given that ransomware in particular is a major national security challenge due to the involvement of adversarial nation-states like Russia or North Korea.

"The underpinnings of this business model are solid, and this problem is not going away anytime soon; many of the tools we have at our disposal aren't going to have long-lasting effects," said Sandra Joyce, vice president of Mandiant Intelligence — Google Cloud, in a statement. "These groups will recover and they will be back. But we have a moral obligation to disrupt these operations whenever possible."

As for what this means for businesses from an operational perspective, Kimberly Goody, Mandiant senior manager for financial analysis, said to expect some short-term fractures within the criminal ecosystem that could give rise to new partnerships that defenders need to keep their eyes on.

"Actors who were using Qakbot in ransomware intrusions, for example, may pivot to underground communities for initial access providers, resulting in more varied initial access tactics in the near term," she noted.

About the Author(s)

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights