Operation Duck Hunt – Qakbot Infra Disrupted

A multinational action called Operation “Duck Hunt” — led by the FBI, the DoJ, the National Cybersecurity Alliance, Europol, and crime officials in France, Germany, the Netherlands, Romania, Latvia and the U.K. — was able to gain access to the Qakbot network and shut down the malicious botnet, which has affected 700,000 computers worldwide.

Qakbot has launched some 40 worldwide ransomware attacks focused on companies, governments, and healthcare operations, affecting some 700,000 computers in its 15-year lifetime. Qakbot, like almost all ransomware attacks, hit victims through spam emails with malicious links. The DOJ noted that over just the past year and a half, Qakbot has caused nearly $58 million in damages. As part of the action against Qakbot, the DOJ seized approximately $8.6 million in cryptocurrency in illicit profits.

According to the DOJ, the action represented the largest U.S.-led financial and technical disruption of a botnet infrastructure leveraged by cybercriminals to commit ransomware, financial fraud and other cyber-enabled criminal activities.

The FBI said that, as part of the operation, it gained access to Qakbot’s infrastructure and identified hundreds of thousands of infected computers worldwide, including more than 200,000 in the U.S. As part of the action, the Bureau redirected Qakbot traffic to its own servers, which instructed infected computers to download an uninstaller file. The uninstaller was able to clean the infected computers from the botnet and halt any other malware from being installed on affected computers

The DOJ said it received technical assistance from Zscaler and that the FBI partnered with the CISA, Shadowserver, Microsoft Digital Crimes Unit, the National Cyber-Forensics and Training Alliance, and Have I Been Pwned to aid in victim notification and remediation.

The Qakbot botnet is operated by a cybercrime group that Symantec calls Batbug, which the software company said controls a lucrative malware distribution network linked to a number of major ransomware groups. According to the DOJ, these ransomware groups include Conti, ProLock, Egregor, REvil, MegaCortex, and Black Basta.

Researchers noted a surge in Qakbot activity from the beginning of 2023 through June, a period during which the botnet began using attachments on Microsoft OneNote to drop Qakbot on infected machines.

Qakbot-infected emails contained an embedded URL that led to a ZIP archive that contained the malicious OneNote file. When victims clicked on the file, they would inadvertently execute an HTML application file, causing the download on the victim’s computer of a Qakbot DLL as a .png file. Researchers added that this kill chain disappeared, and attackers went with PDF documents leading to URLs with malicious ZIP archives containing JavaScript downloaders.

Will Qakbot reappear after some retooling to sidestep new defenses?. The creators of these botnets are often highly skilled, and to that effect, we have seen botnets return from the grave, often with modifications.