Pierluigi Paganini
August 30, 2023
The FBI announced that the Qakbot botnet has been dismantled as a result of an international law enforcement operation named Operation ‘Duck Hunt.’
Qakbot, also known as QBot, QuackBot and Pinkslipbot, is an info-stealing malware that has been active since 2008. The malware spreads via malspam campaigns, it inserts replies in active email threads.
The Duck Hunt operation involved law enforcement agencies from the U.S., France, Germany, the Netherlands, Romania, Latvia, and the United Kingdom.
Duck Hunt is one of the largest U.S.-led disruptions of a botnet infrastructure used by crooks to commit criminal activities, including ransomware attacks.
In November 2022, experts at the Cybereason Global SOC (GSOC) team observed a surge in Qakbot infections as part of an ongoing aggressive Qakbot malware campaign that led to Black Basta ransomware infections in the US.
According to the FBI’s announcement, crimes associated with Qakbot attacks caused hundreds of millions of dollars in losses to individuals and businesses in the U.S. and abroad.
The FBI explained that as part of the operation has gained lawful access to Qakbot’s C2 infrastructure and identified over 700,000 infected computers worldwide. More than 200,000 infected computers were in the U.S.
“Investigators have found evidence that, between October 2021 and April 2023, Qakbot administrators received fees corresponding to approximately $58 million in ransoms paid by victims,” states the Justice Department.
The FBI performed a sinkholing of the botnet and once replaced the C2 infrastructure instructed the bot to download an uninstaller file and execute it to remove the Qakbot malware.
“To disrupt the botnet, the FBI redirected Qakbot traffic to Bureau-controlled servers that instructed infected computers to download an uninstaller file. This uninstaller—created to remove the Qakbot malware—untethered infected computers from the botnet and prevented the installation of any additional malware.” reads the announcement published by the FBI.
“The FBI neutralized this far-reaching criminal supply chain, cutting it off at the knees,” said FBI Director Christopher Wray. “The victims ranged from financial institutions on the East Coast to a critical infrastructure government contractor in the Midwest to a medical device manufacturer on the West Coast.”
“All of this was made possible by the dedicated work of FBI Los Angeles, our Cyber Division at FBI Headquarters, and our partners, both here at home and overseas,” added Wray. “The cyber threat facing our nation is growing more dangerous and complex every day. But our success proves that our own network and our own capabilities are more powerful.”
The FBI and the Dutch National Police provided account credentials compromised by the botnet to the data breach notification site Have I Been Pwned. The Dutch National Police also set up a website that allows users to check whether their credentials have been compromised.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Operation ‘Duck Hunt’)
