Home / Software / Apps / FBI takedown of Qakbot botnet

FBI takedown of Qakbot botnet

A global law enforcement operation dismantled the Qakbot botnet this week, the largest U.S.-led financial and technical disruption of a botnet infrastructure.

Qakbot, a banking trojan, is notorious for giving other hackers access to a victim’s network to install ransomware. In 18 months, Qakbot has enabled over 40 ransomware attacks and generated $58 million in ransom payments, according to U.S. officials.

In “Operation Duck Hunt,” the FBI and its international partners seized Qakbot’s US and European infrastructure. The FBI and U.S. Department of Justice seized more than $8.6 million in cryptocurrency from Qakbot, which will be made available to victims.

In Tuesday’s announcement, the FBI said it redirected botnet network traffic to U.S. government servers to take control. With this access, the FBI used the botnet to instruct Qakbot-infected machines worldwide to download an FBI-built uninstaller to untether the victim’s computer from the botnet and prevent malware installation.

As of June, the FBI had found 700,000 Qakbot-infected devices, including over 200,000 in the US. A senior FBI official told reporters that Qakbot victims number in the “millions.”

Operation Duck Hunt happened

The operation worked how?
According to the seizure warrant application, the FBI identified and accessed the Qakbot botnet infrastructure servers hosted by an unnamed web hosting company, including Qakbot administrators’ systems. To prevent the web host from notifying its customers, the Qakbot administrators, the FBI asked the court to order a secret copy of the servers.

The FBI had access to Qakbot’s stack of virtual machines for testing malware samples against popular antivirus engines and its servers for running phishing campaigns named after former U.S. presidents, knowing that political-themed emails are likely to be opened. The FBI also found Qakbot wallets with crypto stolen by administrators.

The application states, “Through its investigation, the FBI has gained a comprehensive understanding of the structure and function of the Qakbot botnet,” describing its botnet takedown plan. Based on that knowledge, the FBI has developed a way to identify infected computers, collect infection information, disconnect them from the Qakbot botnet, and prevent Qakbot administrators from communicating with them.”

According to the FBI and CISA, Qakbot controls malware on infected computers worldwide using Tier 1, Tier 2, and Tier 3 systems.

The FBI said Tier 1 systems are ordinary home or business computers, many of which were in the US, infected with Qakbot and equipped with a “supernode” module, making them part of the botnet’s international control infrastructure. Tier 1 computers communicate with Tier 2 systems, which proxy network traffic to hide the Tier 3 command and control server, which administrators use to send encrypted commands to hundreds of thousands of infected machines.

The FBI said it could decrypt and understand Qakbot’s encrypted commands with access to these systems and its encryption keys. The FBI used those encryption keys to instruct Tier 1 “supernode” computers to swap and replace the supernode module with a new FBI-developed module with new encryption keys that locked out Qakbot administrators from their infrastructure.

Swap, replace, uninstall
Secureworks’ takedown analysis shows that the FBI module was delivered on August 25 at 7:27pm in Washington DC.

The FBI then ordered Tier 1 computers to communicate with its server instead of Qakbot’s Tier 2 servers. Next time a Qakbot-infected computer checked in with its servers—every one to four minutes—it would seamlessly communicate with an FBI server.

After Qakbot-infected computers were sent to the FBI’s server, the server instructed them to download an uninstaller to remove the malware. The uninstaller was uploaded to Google’s VirusTotal malware and virus scanner. This blocks and prevents another Qakbot infection but does not remove or fix Qakbot malware.

The FBI stated that its server “will be a dead end,” and that it “will not capture content from the infected computers,” except for the IP address and routing information needed to contact Qakbot victims.

The Qakbot malicious code is being deleted from victim computers, preventing further harm, prosecutors said Tuesday.

FBI’s latest operational takedown in recent years.

The feds removed Chinese hacker backdoors from hacked Microsoft Exchange email servers in 2021 in a first-ever operation. A year later, the FBI shut down a massive botnet used by Russian spies to launch powerful and disruptive cyberattacks to bring networks offline, and earlier this year, it shut down another Russian botnet that had been operating since 2004.

About Chambers

Check Also

The Air Force has abandoned its attempt to install a directed-energy weapon on a fighter jet, marking another failure for airborne lasers

The U.S. military’s most recent endeavor to create an airborne laser weapon, designed to safeguard …