The Qakbot malware, also known as Qbot, continues to operate despite a recent law enforcement operation called “Operation Duck Hunt” that targeted its infrastructure. The operation, which involved authorities from seven different countries, managed to disrupt Qakbot’s botnet infrastructure in August. However, a new report from Cisco Talos reveals that the malware is still active and distributing other malicious software.
According to Cisco Talos, a ransomware campaign that was already underway before the raid is still ongoing. This demonstrates the challenges that law enforcement faces when trying to eliminate major threat actors. Guilherme Venere, a threat researcher for Cisco Talos, explained that Qakbot remained active even while its infrastructure was being taken down.
The multinational takedown operation against Qakbot took place on August 29 and involved law enforcement authorities from the US (FBI), UK, France, Germany, Romania, Latvia, and the Netherlands. The operation managed to identify and access 700,000 infected computers, redirecting them to FBI-controlled servers where Qakbot uninstallers were automatically downloaded. Additionally, authorities seized $8.6 million of Qakbot’s illicitly obtained funds.
Despite these efforts, Qakbot continues its malicious activities. The group has been distributing phishing emails in multiple languages, including English, Italian, and German. These emails contain .ZIP archives with two main components. The first component is shell link (.LNK) files that disguise themselves as financial documents, such as “Pay-Invoices-29-August.pdf.lnk” and “bank transfer request.lnk.” These files download an executable from a remote IP address, which installs the Ransom Knight ransomware. Ransom Knight is an updated version of the Cyclops ransomware-as-a-service malware.
The second component found in the .ZIP archives is Excel Add-In (XLL) files that hide the Remcos backdoor. This backdoor grants the attackers persistent access to targeted machines, even after the deployment of ransomware. It is currently unknown how many organizations have been targeted in this campaign and the extent of the damages they may have suffered.
This incident raises the question of whether law enforcement can ever fully eliminate threat actors. In recent years, law enforcement agencies worldwide have intensified their efforts to combat major cybercrime groups. While some takedowns have had a significant impact, others have had limited success. For example, the FBI and the Department of Justice successfully dismantled the Hive ransomware gang. However, efforts against the Emotet and Trickbot botnets did not achieve the desired results.
According to Venere, it is challenging to take down threat actors unless the original actors behind the group are arrested. In the Qakbot case, no arrests were made, allowing the group to continue its operations. They still have access to the source code for the malware and can develop new variants with their existing infrastructure for distribution.
Nevertheless, the efforts of law enforcement are not in vain. Disrupting the infrastructure and financial structure of these groups can make it more difficult and expensive for them to rebuild and continue their activities. The impact of the takedown on Qakbot’s operations remains to be seen.
As cybercriminals become increasingly sophisticated, law enforcement must constantly adapt and evolve their strategies to effectively combat these threats. The fight against cybercrime requires international collaboration and ongoing efforts to disrupt and dismantle criminal infrastructure. By staying vigilant and proactive, law enforcement can continue to weaken threat actors and protect individuals and organizations from cyber threats.