Threat Intelligence, Endpoint/Device Security

Qakbot botnet brought down in major global operation led by US

FBI Director Christopher Wray

Qakbot, the criminal world’s long-established “botnet of choice,” has been toppled by a multinational law enforcement operation that also uninstalled the malware from 700,000 computers.

In an Aug. 29 announcement, the U.S. Justice Department said the operation, led by the FBI, seized and disabled the infrastructure powering the botnet.

Authorities took possession of $8.6 million in cryptocurrency, said to be a small portion of the total amount extorted from ransomware victims over several years by the gang behind Qakbot.

“Investigators have found evidence that, between October 2021 and April 2023, Qakbot administrators received fees corresponding to approximately $58 million in ransoms paid by victims,” the Justice Department said.

The operation, codenamed “Duck Hunt,” involved law enforcement agencies from France, Germany, the Netherlands, the United Kingdom, Romania and Latvia, as well as the U.S.

Qakbot was “one of the most notorious botnets ever, responsible for massive losses to victims around the world,” said Martin Estrada, U.S. attorney for the Central District of California, where the seizure warrant for the cryptocurrency was filed.

“Qakbot was the botnet of choice for some of the most infamous ransomware gangs, but we have now taken it out,” Estrada said.

In an Aug. 25 research post, ReliaQuest said QakBot (also known as "QBot," "QuackBot" and "Pinkslipbot") was the most seen malware loaders, accounting for 30% of all loaders observed in the first seven months of this year.

Checkpoint also described Qakbot as the world’s most prevalent malware, and said it impacted 11% of corporate networks worldwide in the first half of 2023.

“Qakbot is especially tricky: it is a multipurpose malware, akin to a Swiss Army knife. It allows cybercriminals to directly steal data (credentials to financial accounts, payment cards, etc) from PCs, while also serving as an initial access platform to infect victims’ networks with additional malware and ransomware,” Checkpoint said.

The malware has been used as an initial means of infection by a prolific range of ransomware groups such as Conti, REvil and Black Bast, among others, and sought ransom payments in Bitcoin.

In a statement announcing the takedown, the FBI said Qakbot had caused hundreds of millions of dollars of losses since its creation in 2008.

“This botnet provided cybercriminals like these with a command-and-control infrastructure consisting of hundreds of thousands of computers used to carry out attacks against individuals and businesses all around the globe,” FBI Director Christopher Wray said.

"The victims ranged from financial institutions on the East Coast to a critical infrastructure government contractor in the Midwest to a medical device manufacturer on the West Coast."

700,000 computers untethered

By gaining access to the Qakbot infrastructure during the operation, the FBI was able to identify over 700,000 computers worldwide, including more than 200,000 in the U.S., that were infected with the malware.

“To disrupt the botnet, the FBI was able to redirect Qakbot botnet traffic to and through servers controlled by the FBI, which in turn instructed infected computers in the United States and elsewhere to download a file created by law enforcement that would uninstall the Qakbot malware,” the Justice Department said.

The uninstaller was able to “untether” the infected computers from the Qakbot botnet.

Secureworks said in a blog post it had long maintained visibility of Qakbot’s backend infrastructure. Researchers in its Counter Threat Unit (CTU) observed the Aug. 25 takedown operation which involved the botnet distributing shellcode to infected devices.

“The shellcode unpacks a custom DLL (dynamic link library) executable that contains code that can cleanly terminate the running Qakbot process on the host,” Secureworks said.

“The DLL uses a clever method that involves sending a QPCMD_BOT_SHUTDOWN instruction via a named pipe that Qakbot uses to send and receive messages between processes on the host.”

Is this the end for Qakbot?

The efforts of the multinational teams, and their success in taking down such a major player in the cybercriminal ecosystem so emphatically, was praised by researchers. But some cautioned that the demise of such a significant botnet would leave a void, and an opportunity for the group behind QakBot (known as Batbug or Golden Lagoon) to rebuild.

“Batbug has long been one of the largest players in the cybercrime landscape, controlling a lucrative malware distribution network that was linked to multiple major ransomware gangs,” Symantec’s Threat Hunter Team said in a blog post.

“This takedown is likely to disrupt Batbug’s operations and it is possible that the group may struggle to rebuild its infrastructure in its aftermath.”

Secureworks said it had observed the group’s infrastructure becoming unresponsive as a result of the takedown operation.

“These robust efforts should reduce the number of infected hosts and hinder GOLD LAGOON's attempts to regain control of the botnet.”

Mandiant senior manager, financial analysis, Kimberly Goody, said Qakbot had a history of adapting and evolving.

“Any impact to these operations is welcomed as it can cause fractures within the ecosystem and lead to disruptions that cause actors to forge other partnerships — even if it’s only temporary.”

Another Mandiant executive, Sandra Joyce, VP, Mandiant Intelligence — Google Cloud, said ransomware was a major security challenge that had to be taken seriously.

“The underpinnings of this business model are solid and this problem is not going away anytime soon. Many of the tools we have at our disposal aren’t going to have long-lasting effects. These groups will recover and they will be back.”

Watch FBI Director Christopher Wray's announcement of the operation below:

Simon Hendery

Simon Hendery is a freelance IT consultant specializing in security, compliance, and enterprise workflows. With a background in technology journalism and marketing, he is a passionate storyteller who loves researching and sharing the latest industry developments.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.