The US Justice Department, in collaboration with several international partners, has successfully taken down the infamous Qakbot botnet. Led by the US FBI, the multinational operation involved authorities from France, Germany, the Netherlands, Romania, Latvia, and the United Kingdom. The agencies adopted a two-pronged approach, which started with gaining lawful access to the botnet’s infrastructure and redirecting traffic to servers controlled by the FBI. Any computer redirected to these servers received an uninstaller file that eliminated the Qakbot malware.
Qakbot, also known as ‘Qbot’ and ‘Pinkslipbot,’ has been a major player in the criminal underworld. Its primary method of infecting victim computers involves spam email messages that contain malicious attachments or hyperlinks. Once a computer is infected, Qakbot has the capability to introduce additional malware, including ransomware, thus further exploiting the victim’s system. In recent years, Qakbot has been used by various ransomware groups, including Conti, ProLock, Egregor, REvil, MegaCortex, and Black Basta, to gain initial access to computer networks before launching their extortion schemes.
Highlighting the significance of the operation, FBI Director Wray mentioned that the botnet provided cybercriminals with a vast command-and-control infrastructure composed of hundreds of thousands of computers. Don Smith, VP of Threat Intelligence at the Secureworks Counter Threat Unit (CTU), echoed this sentiment, stating that Qakbot was a formidable adversary that posed a serious threat to businesses globally. The malware was highly adaptive and often led to the deployment of sophisticated and damaging ransomware attacks. Consequently, the removal of Qakbot is being hailed as a major success.
However, it is important to note that Qakbot’s operators are based in Russia, which explains the absence of any arrests. The Russian authorities, known for their cooperation with criminal organizations, often tolerate and possibly enable such activities as long as they do not directly harm Russian interests or affect Russian victims. The Secureworks research team has labeled the group behind Qakbot as the financially motivated “GOLD LAGOON threat group.” The botnet has been active since 2007 and has a modular structure that supports various criminal activities, with a particular emphasis on ransomware attacks.
Researchers closely monitored the FBI-led takedown of Qakbot in real-time, noting the methods used. By 11:27 UTC on August 25th, the CTU researchers detected Qakbot distributing shellcode to infected devices. The shellcode unpacked a custom DLL executable that terminated the running Qakbot process on the host. This DLL employed a clever technique by sending an instruction called QPCMD_BOT_SHUTDOWN via a named pipe, which Qakbot uses to exchange messages between processes on the host. The DLL achieved this by generating the correct name for the system it was operating on. Ultimately, these actions rendered GOLD LAGOON’s infrastructure unresponsive, significantly reducing the number of infected hosts.
An overview provided by Secureworks shed light on Qakbot’s operations during its peak. The malware had infected 10,000 machines across 153 countries over a four-month period, with approximately 5,000 of them connected to a domain, implying corporate environments. The most targeted countries were the US, Germany, and China. The backend infrastructure for Qakbot has been based in Russia for the past two and a half years. Interestingly, the move coincided with the disruption of the Emotet botnet in January 2021, which saw Qakbot operators relocate their infrastructure to Russia, where it has remained since.
Operation Duck Hunt, as the takedown has been dubbed, involved a broad range of partners, including public and private entities. Valuable technical assistance was provided by Zscaler, and the operation involved cooperation with organizations such as the Cybersecurity and Infrastructure Security Agency, Shadowserver, Microsoft Digital Crimes Unit, the National Cyber Forensics and Training Alliance, and Have I Been Pwned. The joint effort included various international law enforcement agencies and investigative bodies, including Europol, the French Police Cybercrime Central Bureau, the German Federal Criminal Police, the Netherlands National Police, and the UK’s National Crime Agency, among others.
Experts in the field have praised the operation and the level of international collaboration it required. Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, commended the FBI and its global partners, emphasizing the importance of proactive clean-up in removing the Qakbot malware. However, Grimes cautioned against vigilante actions and emphasized the need to leave such takedowns to law enforcement agencies.
Ken Westin, Field CISO at Panther Labs, found it intriguing that the FBI essentially deployed measures resembling “hacking back” to redirect traffic and uninstall the malware on remote systems. While this is a rare approach for law enforcement, given the potential risks involved, Westin believes the minimal risk posed by Qakbot to networks and critical infrastructure justified the actions taken. He expressed interest in learning more about the legal framework under which such activities can be undertaken in cases involving malware and threats to national security.
Overall, industry experts agree that the takedown of the Qakbot botnet has dealt a significant blow to its operations. However, it remains to be seen whether the group behind the botnet, GOLD LAGOON, will resurface with new tactics and techniques. Chester Wisniewski, Field CTO of Applied Research at Sophos, acknowledged the setback to Qakbot but warned that its operators may not be permanently silenced. Therefore, continued vigilance and collaboration between international law enforcement agencies and private sector organizations will be crucial in combating future threats posed by botnets like Qakbot.