End of QakBot: FBI has taken down the QakBot malware and seized $8.6 Million

A coordinated law enforcement operation, Operation Duck Hunt, has successfully taken down QakBot, a notorious malware family for Windows. QakBot had compromised over 700,000 computers globally, enabling financial fraud and ransomware. 

The U.S. Justice Department mentioned that the malware is being removed from victim computers to prevent further harm and revealed that over $8.6 million in cryptocurrency was seized as illegal gains.

The post proudly announced: “Cybercriminals who rely on malware like Qakbot to steal private data from innocent victims have been reminded today that they do not operate outside the bounds of the law,” said Attorney General Merrick B. Garland. 

“Together with our international partners, the Justice Department has hacked Qakbot’s infrastructure, launched an aggressive campaign to uninstall the malware from victim computers in the United States and around the world, and seized $8.6 million in extorted funds.”

Details about the progress

This multinational effort included France, Germany, Latvia, Romania, the Netherlands, the U.K., and the U.S., with help from cybersecurity firm Zscaler. 

The operation is being hailed as a significant disruption of a cybercriminal botnet. Although no arrests were announced, it’s considered a significant victory against cybercrime.

QakBot- A history

Initially starting as a banking trojan in 2007, QakBot evolved into a versatile malware, facilitating the distribution of malicious code, including ransomware. The malware’s administrators reportedly earned around $58 million in ransoms between October 2021 and April 2023. It was a crucial component in the cybercrime ecosystem, enabling ransomware attacks and other serious threats.

We've updated the vx-underground malware sample collection… sort of?

We've added FBI Operation Duck Hunt 'Untether'. This is the payload the FBI deployed to untether infected machines from the QakBot botnet =D

Check it out here: https://t.co/XOKsN4zXSx pic.twitter.com/AuhetoZEYc

— vx-underground (@vxunderground) August 30, 2023

• QakBot was typically spread through phishing emails 
• Could execute commands and gather information
• Received regular updates
• Its operators were known to take breaks during summers before resuming their activities.

1,2,3 Action

The joint effort involved accessing QakBot infrastructure, redirecting botnet traffic to FBI-controlled servers, and removing QakBot from infected machines. Secureworks Counter Threat Unit identified the code distribution to stop QakBot on August 25, 2023.

Happy Ending: A reign of destruction to an end

The malware affected various entities, including financial institutions, critical infrastructure contractors, and medical device manufacturers. QakBot showed complexity by adapting to security measures, such as using OneNote files to spread after Microsoft disabled macros. The malware’s operators utilized diverse file formats and strategies to evade detection.

QakBot’s sophistication was evident in its multi-tier server system controlling infected computers. The malware employed 18 unique attack chains in the second quarter of 2023, reflecting its ability to adapt its methods quickly. This successful operation signifies a substantial blow to cybercriminal activities and reinforces the collaborative effort to combat cyber threats.