A joint law enforcement operation by the US Federal Bureau of Investigation (FBI) code-named Duck Hunt has taken down the QakBot botnet and seized $8.6 million worth of cryptocurrency.
According to The Hacker News, QakBot is a well-known line of Windows malware that is estimated to have compromised more than 700,000 computers globally and facilitated financial fraud and ransomware.
The US Department of Justice (DoJ) said that malware is being removed from the victim’s computer, preventing any further harm, and authorities have seized more than $8.6 million in cryptocurrency. illegal.
The cross-border operation involved France, Germany, Latvia, Romania, the Netherlands, the UK, and the US, with technical support from cybersecurity company Zscaler. This is the largest US-led technical and financial disruption crackdown on botnet network infrastructure leveraged by cybercriminals, although no arrests have been announced.
QakBot, also known as QBot and Pinkslipbot, began operating as a banking trojan in 2007 before turning into a hub for malicious code distribution on infected machines, including ransomware. Some of the ransomware from QakBot include Conti, ProLock, Egregor, REvil, MegaCortex, and Black Basta. QakBot operators are said to have received approximately $58 million in ransom payments from victims between October 2021 and April 2023.
Usually distributed via a phishing email, this modular malware is equipped with command execution and information-gathering capabilities. QakBot has been updated continuously throughout its existence. The DoJ said these malware-infected computers are part of a botnet, meaning the perpetrator can remotely control all infected computers in a coordinated manner.
According to court documents, the campaign gained access to QakBot infrastructure, which in turn was able to redirect botnet traffic through servers controlled by the FBI, with the ultimate goal of disabling the chain. supply of criminals. The servers instructed the compromised computer to download an uninstaller, designed to remove machines from the QakBot botnet, effectively preventing the delivery of additional components of the malware.
QakBot has demonstrated greater complexity over time, rapidly changing tactics in response to new security measures. After Microsoft defaulted to disabling macros in all Office applications, the malware began using OneNote files as an infection vector earlier this year.
Sophistication and adaptability also lie in the “weaponization” of multiple file formats such as PDF, HTML, and ZIP in QakBot’s attack chain. The majority of the malware’s command and control servers are concentrated in the US, UK, India, Canada, and France, with the backend infrastructure believed to be located in Russia.
QakBot, like Emotet and IcedID, uses a 3-tier server system to control and communicate with malware installed on infected computers. The primary purpose of tier 1 and 2 servers is to forward communications containing encrypted data between infected machines and level 3 servers that control the botnet.
As of mid-June 2023, 853 tier 1 servers have been identified in 63 countries, with tier 2 servers acting as proxies to mask the main control server. Data collected by Abuse.ch shows that all QakBot servers are now offline.
According to HP Wolf Security, QakBot was also one of the most active malware lines in Q2/2023 with 18 attack sequences and 56 campaigns. It shows the trend of the criminal group trying to quickly exploit the vulnerabilities in the network defense system to gain nefarious profits