QakBot malware platform taken down by FBI


The US Department of Justice (DoJ) says QakBot, a decades-old malware platform with ties to Russia, has been dismantled by the FBI with the help of international law enforcement.

US authorities say the notorious QakBot banking trojan, also known QBot or Pinkslipbot, has been in use by cybercriminals and ransomware groups since 2008.

QakBot malware “had infected more than 700,000 victim computers, facilitated ransomware deployments, and caused hundreds of millions of dollars in damage to businesses, healthcare providers, and government agencies,” according to US Attorney for the Central District of California Martin Estrada.

Estrada said the move against QakBot was the most significant technological and financial operation ever led by the department against a botnet, which can be described as an army of infected computers used to spread viruses.

Operation Duck Hunt

Led by the FBI, Operation “Duck Hunt” involved help from law enforcement in France, Germany, the Netherlands, Britain, Romania and Latvia.

As part of the operation, roughly 52 bot servers were seized by the FBI and its partners in the United States and abroad, including approximately $8.6 million in illicit cryptocurrency profits.

In order to cripple the cybercrime network, the FBI said it had redirected QakBot internet traffic to government-controlled servers, effectively allowing agents to uninstall the malware from victim computers.

The FBI said they were able to actively remove the QakBot files from the victim's network systems while still keeping the data secure.

Just this past week, QakBot was identified by ReliaQuest threat researchers as one of only three malware loaders said to be responsible for nearly 80% of all cyberattacks, according to recent trends.

QakBot, SocGholish, Rasberry Robin
Top 10 most observed malware loaders, January 1–July 31, 2023. Image by ReliaQuest

"Together, we have taken down QakBot and saved countless victims from future attacks," Estrada said about Tuesday's DoJ announcement.

QuakBot speedbump

Between October 2021 and April 2023, investigators say QakBot administrators made out with nearly $58 million in ransom payouts from its hundreds of victims worldwide.

Unfortunately, as significant as the takedown is, some security insiders believe it will only be seen as an inconvenience for QakBot operators and the criminal groups that use the malware regularly.

“While this is a disruption to a lot of criminal marketplaces that rely on the botnet to function, it's ultimately a speedbump rather than a dismantling, said Chester Wisniewski, Field CTO of Applied Research at Sophos.

Wisniewski believes that Qakbot's masters will eventually reconstitute and continue to profit from our security failures.

“Any time we can raise the cost for criminals to operate their schemes,= we must take advantage of those opportunities, but this doesn't mean we can rest on our laurels; we must continue to work to identify those responsible and hold them accountable to truly disable their operations,” Wisniewski said.

QakBot malware

Intel insiders say the QakBot malware loader is commonly used by threat actors to steal financial data and banking credentials, often spread via targeted email campaigns, also known as spear phishing.

Associated with the Russian-speaking Black Basta ransomware group, QakBot was originally designed as a banking trojan that has since been upgraded with new capabilities over the years.

The versatile malware can deliver remote-access payloads, steal sensitive data, allow lateral movement within targeted networks, and carry out remote code execution.

Black Basta attack
QakBot attack scenario diagram. Image by Cybereason.

Organizations around the world, from Germany to Argentina, have been targeted with the malware, although most victims are known to be located in the US.

The FBI said out of the 700,000 computers it discovered infected with QakBot, 200,000 of them were found located in the US.

FBI Director Christopher Wray said US victims have ranged from financial institutions on the East Coast to critical infrastructure government contractors in the Midwest to medical device manufacturers on the West Coast.

During a targeted spear phishing campaign last November, Black Basta deployed the QakBot malware, infecting at least 10 companies with ransomware in a matter of just two weeks.

"The FBI neutralized this far-reaching criminal supply chain, cutting it off at the knees," Wray said in a statement.

This past May, the FBI was also able to successfully take down the sophisticated Russian "Snake" malware spy network, which they had been tracking for over two decades.

The dismantled Russian spy operation was said to be responsible for using the Snake malware to steal thousands of sensitive documents from hundreds of computer systems in at least 50 countries.