The U.S. Federal Bureau of Investigation (FBI) and the U.S. Department of Justice have recently announced that the QakBot malware network has been successfully dismantled and around 700,000 computers that had been infected with the malware have been cleaned.
QakBot (aka QBot/Quackbot/Pinkslipbot) is a second-stage modular malware that was initially a banking Trojan and an information stealer, to which backdoor and self-propagation capabilities were added. The malware was first identified in 2008 and has seen several updates over the past 15 years, with usage significantly increasing since its 2015 update. The malware is capable of stealing financial data, locally stored emails, credentials, and cookies and was also used to deliver other malware payloads, including ransomware strains such as REvil and LockBit. QakBot was the initial access vector in many ransomware attacks, including the attack on the U.S. food production company JBS in May 2021. In the past 15 years, QakBot caused losses of hundreds of millions of dollars for individuals and businesses.
QakBot was primarily distributed via phishing emails containing malicious links and attachments. If the link was clicked or the attachment was opened, QakBot was delivered and the device was added to a botnet. At the time of the takedown, the botnet included around 700,000 devices, 200,000 of which were located in the United States. On August 29, 2023, the FBI and the U.S. Department of Justice announced the successful disruption and dismantling of the QakBot botnet as part of an international law enforcement operation dubbed Operation Duck Hunt, with assistance provided by partner agencies in France, Germany, the Netherlands, Romania, Latvia, and the United Kingdom. The FBI claims this was one of the largest U.S.-led disruptions of botnet infrastructure in history.
“The FBI neutralized this far-reaching criminal supply chain, cutting it off at the knees,” said FBI Director Christopher Wray. “The victims ranged from financial institutions on the East Coast to a critical infrastructure government contractor in the Midwest to a medical device manufacturer on the West Coast.”
The operation involved redirecting QakBot traffic to FBI-controlled servers, which instructed the infected computers to download and execute an uninstaller file which removed the malware and prevented the installation of any additional malware. The FBI also provided the credentials that were found during the operation to the Have I Been Pwned service, so users can check to see if their credentials were stolen by the botnet operators.
While the takedown and dismantling of the botnet is certainly great news, this could only spell a temporary hiatus to QakBot operations as the announcement makes no mention of any arrests. Since the operators of the botnet remain at large and no doubt retain the source code of the malware they could simply rebuild their operation, and even if they don’t, they remain free to continue their malicious activities in whatever form they see fit.