Operation Duck Hunt — How Qakbot malware was taken down by FBI?

·

4 min read

Operation Duck Hunt — How Qakbot malware was taken down by FBI?

Qakbot, also known as Oakboat, Pinkslipbot, Qbot, Quakbot, was one of the largest known botnets and has a long story in the world of cybercrime. This highly sophisticated and persistent malware was active from 2007 till Tuesday, August 29th, 2023, when FBI completed Operation Duck Hunt and takedown Qakbot as a result.

Qakbot in a nutshell

Qakbot initially was a banking trojan starting in 2007, but it evolved into the much more advanced malware. It primarily infects victim computers through spam email messages with malicious attachments and links. QakBot was used as a gateway entry, similar to TrickBot or Emotet, that leads to post-exploitation operations leveraging frameworks such as Cobalt Strike as well as delivering ransomware.

Read more about Cobalt Strike: malpedia.caad.fkie.fraunhofer.de/details/wi..

Infected computers were part of a botnet which is a network of compromised computers. Hacker groups could remotely control all of them. The owners and operators of the victim computers were usually unaware of what was happening with the system.

Qakbot was used by Gold Cabin group also known as ATK236, G0127, Monster Libra, Shakthak or TA551. They have been operating a malware distribution service on behalf of numerous customers since 2018.

Read more about Gold Cabin group: malpedia.caad.fkie.fraunhofer.de/actor/gold..

Also, TA577 group was connected with Qakbot malware attacks.

Read more about TA577 group: malpedia.caad.fkie.fraunhofer.de/actor/ta577

How bad Qakbot was?

Due to Justice Departament Qakbot was used “as an initial means of infection by many prolific ransomware groups in recent years, including Conti, ProLock, Egregor, REvil, MegaCortex, and Black Basta. The ransomware actors then extort their victims, seeking ransom payments in Bitcoin before returning access to the victim's computer networks.”

There is evidence that between October 2021 and April 2023, Qakbot administrators received fees worth around $58 million in ransoms paid by victims.

Qakbot was focused on “financial institutions on the East Coast to a critical infrastructure government contractor in the Midwest to a medical device manufacturer on the West Coast.”

Operation details?

Here is a bunch of information made available to the public.

Operation Duck Hunt took place in the U.S. and across Europe, in

  • France,

  • Germany,

  • the Netherlands,

  • Romania,

  • Latvia,

  • the United Kingdom.

The FBI has cooperated with:

  • the Cybersecurity and Infrastructure Security Agency,

  • Shadowserver,

  • Microsoft Digital Crimes Unit,

  • the National Cyber Forensics and Training Alliance,

  • Have I Been Pwned (aid in victim notification and remediation),

  • Zscaler (technical assistance).

The FBI gained access to an online panel that provided access to QakBot’s admin computers, then they mapped out the server infrastructure used in the botnet’s operation.

This is how the Justice Department described the process:

“redirect Qakbot botnet traffic to and through servers controlled by the FBI, which in turn instructed infected computers in the United States and elsewhere to download a file created by law enforcement that would uninstall the Qakbot malware. This uninstaller was designed to untether the victim computer from the Qakbot botnet, preventing further installation of malware through Qakbot.”

The full FBI Director Christopher Wray Announces: https://www.youtube.com/watch?v=mIeUT0QmqfU

FBI cutting off one of Hydra’s heads?

As a result of the operation, FBI identified over 700,000 infected computers worldwide (more than 200,000 were located in the US).

FBI seized over $8.6m in cryptocurrency from the Qakbot cybercriminal organization.

“This is the most significant technological and financial operation ever led by the Department of Justice against a botnet,” said Martin Estrada, the U.S. attorney for the Southern District of California.

Due to Spamhaus in Q3 2023 we saw the -41% decrease in numbers associated with Qakbot malware.

Screenshot from Spamhaus Botnet Thread Update Q3 2023

Looks good, right? However, nobody was actually arrested during Duck Hun Operation.

The hard truth is that today we close one network, and tomorrow a couple of new ones may occur, so we play the game once again. Cybercriminals are very adaptive, well-organized groups. They know how to hide their digital footprints, and they know how to restore infrastructure fast.

From a time perspective, we see that this is what probably happened in this case.

  1. QakBot was sized in August 2023.

  2. In September 2023 a significant increase in the DarkGate campaign occurred.

  3. In October 2023 DarkGate campaign swaps in PikaBot campaign.

Why we should connect the dots between these 3 malware?

Because QakBot, DarkGate, and Pikabot have a lot of similarities, so looks like they are the next incrementation of QakBot.

If you want to learn more about the similarities and how DarkGate and Pikabot malware are working, wait for my next article.

Sources