An international consortium of law enforcement agencies has disrupted Qakbot in the largest U.S.-led takedown of a botnet infrastructure. Between October 2021 and April 2023 Qakbot administrators received fees of approximately $58 million in ransomware payments. The investigation identified over 700,000 infected computers worldwide and netted the seizure of $8.6 million in cryptocurrency. The operation dubbed Duck Hunt involved seizing control over the botnet’s infrastructure and removing the Qakbot malware from infected computers. The investigation into who is behind the network is ongoing.

1. Introduction

On August 29, 2023, the United States Department of Justice announced Operation Duck Hunt involving actions in the United States, France, Germany, the Netherlands, the United Kingdom, Romania and Latvia resulting in the takedown of the Qakbot infrastructure leveraged by threat actors to extort ransomware and commit financial fraud. “Together with our international partners, the Justice Department has hacked Qakbot’s infrastructure, launched an aggressive campaign to uninstall the malware from victim computers in the United States and around the world, and seized $8.6 million in extorted funds,” said U.S. Attorney General Merrick Garland. (here) FBI Director Christopher Wray said in a video statement that victims ranged from financial institutions on the East Coast to a critical infrastructure government contractor in the Midwest to a medical device manufacturer on the West Coast. (here) The FBI Los Angeles Field Office and the U.S. Attorney’s Office for the Central District of California conducted the operation in close cooperation with the European Union Agency for Criminal Justice Cooperation. (here)

2. What is QakBot?

In a post to Krebs On Security titled U.S. Hacks QakBot, Quietly Removes Botnet Infections dated August 29, 2023, investigative journalist Brian Krebs said QakBot first emerged in 2007 as a banking trojan and “morphed into an advanced malware strain” used by cybercrime groups to prepare compromised networks for ransomware heists. The malware is most commonly delivered by “email phishing lures” disguised as something legitimate and time sensitive such as invoices or work orders. (here) According to the security firm Reliaquest, QakBot is the most prevalent malware “loader” – malicious software deployed to secure access to a hacked network and help deliver additional malware payloads. QakBot infections accounted for nearly one-third of all loaders observed during the first six months of 2023. (here) Although QakBot has been associated with various cybercrime groups over the years, it has been recently linked with ransomware attacks from Black Basta, a Russian-language group believed to be a spinoff from the Conti ransomware group in 2022. (here and here)

A similar description of Qakbot, also known by other names including “Qbot” and “Pinkslipbot”, appears in the U.S. Justice Department’s press release. The malware primarily infects targeted computers through spam emails containing malicious attachments or hyperlinks. When it has infected a computer, QakBot can then deliver additional malware, including ransomware, to the target. Qakbot has been used as an initial means of infection by prolific actors such as Conti, ProLock, Egregor, REvil, MegaCortex and Black Basta. A ransomware actor will typically extort payment in bitcoin in exchange for the decryption key allowing the target to access the seized data. In a joint advisory with the FBI, the U.S. Cybersecurity & Infrastructure Security Agency said Qakbot has grown to deploy multiple types of malware, trojans and ransomware variants targeting United States and other global infrastructures including the election infrastructure subsector, financial services, emergency services and commercial facilities sectors. (here and here) Ransomware attacks are growing at an alarming rate globally and have been projected to rise to $265 billion by 2031. (here)

3. The QakBot Hack

In the application for a search warrant in the United States District Court for the Central District of California dated August 21, 2023, an unidentified FBI agent deposed in an affidavit that the agency was investigating the QakBot software and its associated botnet. The FBI had gained access to the QakBot infrastructure including computers used by administrators of the botnet. The investigators gained a comprehensive understanding of the “structure and function” of the botnet and developed a means to “identify infected computers, collect information from them about the infection, disconnect them from the QakBot botnet and prevent administrators from further communicating with the infected computers.” (here and here)

In a post to Bleeping Computer titled How the FBI nuked Qakbot malware from infected Windows PCs dated August 29, 2023, Lawrence Abrams explained that the Qakbot botnet used Tier 1, Tier 2 and Tier 3 command and control servers to issue commands to execute, install malware updates and download additional partner payloads to devices. Tier 1 severs were infected devices with a “supernode” module installed that act as part of the command and control infrastructure of the botnet with some of the victims located in the United States. Tier 2 servers are also command and control servers but they are operated by the Qakbot operators usually from rented servers outside the United States. The FBI stated that both the Tier 1 and Tier 2 servers are used to relay encrypted communications with Tier 3 servers. The Tier 3 servers act as the central command and control servers for issuing new commands to execute, new malicious software modules to down load and malware to install from the botnet’s partners such as ransomware actors. (here) The search warrant that was sought authorized the following search process. I have taken these extracts from the affidavit:

• First, the FBI will identify the current Tier 1 servers (which are also Qakbot infected victim computers) based on information collected by the FBI […].
• Second, an FBI-controlled computer will contact each of those Tier 1 servers using commands built into the Qakbot malware and Qakbot encryption keys known to the FBI. The FBI will instruct each Tier 1 server to download and install an FBI-created module that replaces the “supernode” module in the already-installed Qakbot malware (“FBI Supernode Module”). The FBI Supernode Module contains a new encryption key that will make it impossible for the Qakbot administrators to communicate with the Tier 1 servers. The proposed warrant would authorize replacement of the “supernode” module to allow the FBI to communicate with and search infected computers that make up the botnet. The proposed warrant therefore also authorizes law enforcement officers to seize or copy from the infected computers electronically stored information related to the Qakbot malware, including encryption keys and server lists used by the Qakbot administrators to communicate with computers that are part of the Qakbot infrastructure.
• Third, the FBI will contact each of those Tier 1 servers using commands built into the Qakbot malware. The FBI will instruct those Tier 1 servers to communicate with an FBI-controlled server (the “FBI server”) instead of the Qakbot Tier 2 servers. At this point all communications from infected botnet computers will be routed through the Tier 1 servers to the FBI server, rather than to the Qakbot Tier 2 and Tier 3 servers.
• Fourth, infected computers subject to this warrant that make up the botnet would then communicate with the FBI server instead of the Tier 3 server. As noted above, the Qakbot malware instructs the infected computers to contact the Tier 3 server every one to four minutes. When those infected computers contact the FBI server, the server will instruct them to download a second file created by law enforcement (“the Qakbot Uninstaller”). This warrant would authorize this action, with the intent that computers in the United States that are infected with the Qakbot malware will download the Qakbot Uninstaller from the FBI server via the FBI-controlled Tier 1 servers. The proposed warrant therefore authorizes law enforcement officers to seize or copy from the infected computers electronically stored information related to the Qakbot malware, including IP addresses and routing information necessary to determine whether the infected computer continues to be controlled by the Qakbot botnet. (here and here)

The FBI said its server “will be a dead end” and “[i]t will not capture content from the infected computers” except the IP address and associated routing information of the infected computers for victim notification purposes.

Law enforcement did not announce any arrests stemming from Operation Duck Hunt. When asked who was believed to be behind the botnet, United States Attorney Martin Estrada declined to comment citing the ongoing nature of the investigation. U.S. officials, however, have frequently warned that a large percentage of global cybercrime and ransomware originates from Russia. As reported by Reuters, they accuse Russia of “turning a blind eye to digital crooks as long as they focus their activity abroad”. The claim has been denied by the Kremlin. (here and here)

4. Conclusion

I will leave you with these comments on the ever evolving ransomware threat that I have discussed in previous posts to On The Wire. (here and here) On August 28, 2023, the Canadian Centre for Cyber Security released a report warning that Russia and Iran are acting as safe havens for threat actors hitting Western targets. (here) The report said fraud remains the most common type of cybercrime and ransomware attacks are targeting organizations and industries with no discernible pattern. Reporting for CBC, Canada’s national broadcaster, Peter Zimonjic emphasized the finding in the report, consistent with the reporting by Reuters, that “Russian intelligence services and law enforcement almost certainly maintain relationships with cybercriminals and allow them to operate with near impunity.” (here) Mr. Zimonjic cited an unnamed government official who said “intelligence and security sources indicate that many cybercriminal groups operate in Russia and are permitted to carry out those activities so long as they do not target Russian interests.” The CCCS report warned that “[r]ansomware is almost certainly the most disruptive form of cybercrime facing Canada”.