FBI-led Operation Duck Hunt shoots down Qakbot
Totally plucked: Agents remotely roast Windows botnet malware on victims' machines
Uncle Sam today said an international law enforcement effort dismantled Qakbot, aka QBot, a notorious botnet and malware loader responsible for losses totaling hundreds of millions of dollars worldwide, and seized more than $8.6 million in illicit cryptocurrency.
In a Tuesday press conference announcing the take down, US Attorney Martin Estrada called the FBI-led Operation Duck Hunt "the most significant technological and financial operation ever led by the Department of Justice against a botnet." For one thing, the Feds produced some software to drop onto Qbot-infected machines to render the malware ineffective.
With an assist from France, Germany, the Netherlands, the United Kingdom, Romania, and Latvia, law enforcement over the past three days seized 52 servers in the US and abroad used to maintain the QBot network, "preventing Qakbot from resurrecting to cause further additional harm," Estrada said.
Qakbot is a classic bit of Windows botnet malware: its operators trick people – usually via email attachments or malicious Microsoft Office documents – into downloading and running the software, which can fetch and execute additional payloads from outside servers, and communicates with remote servers to get its instructions to carry out. It is a Swiss Army knife of malicious code: it can be used to backdoor infected computers, steal their passwords and monitor keystrokes, siphon funds from online bank accounts, and more.
Its malware loader functionality has been around since at least 2008, has had significant upgrades since then, and has been used to bring ransomware payloads into infected networks. According to Estrada, roughly 40 infections of extortionware via Qbot have been observed in the past 18 months.
"These ransomware attacks have cost businesses and government entities approximately $58 million in losses," he added. "You can imagine that the losses have been many millions more throughout the life of the Qakbot."
As part of the take-down operation, the Feds identified more than 700,000 infected computers worldwide, including some 200,000 in America. Then, beginning on August 21, the FBI obtained court orders allowing it to redirect Qakbot traffic to agent-controlled servers, and remotely disabled the malware on victims' machines.
The first court order [PDF], which was granted on August 21, allowed law enforcement to search US-based machines and seize or copy encryption keys, server lists, IP addresses, and routing information used by the Qakbot administrators, and also drop a file containing FBI-developed software on these computers to uninstall the malware.
"The file will provide the victim computers with new instructions that will untether them from the Qakbot botnet and prevent the Qakbot administrators from further communicating with the infected computers," according to court documents [PDF].
The software also gave the FBI "the ability to gather evidence about the malware infection, and to collect IP address and routing information sufficient to identify the victim computer and provide notification to the user of the computer about the remote search authorized by the proposed warrant."
The scope was limited to information installed on the victim computers by the Qakbot operators, and did not remediate any other malware on the devices, nor grant the Feds access to other information on compromised computers, according to the US Dept of Justice.
Two days later, on August 23, a court granted a second request [PDF] that allowed law enforcement to search computers assigned specific IP addresses and maintained by a specific provider. The IP addresses and provider name have been redacted in the court documents.
This second warrant required the provider to turn over a ton of data linked to those specific IP addresses, including communications with the computers using those addresses; images of those computers' file systems; and relevant customer information and logs.
This warrant also demanded information related to the use of malware and other means to gain unauthorized computer access, the results of said access, information related to victims, potential victims, and wiretapping, and anything related to cryptocurrency wallets, payments, and money laundering efforts.
- Malware loader lowdown: The big 3 responsible for 80% of attacks so far this year
- Qbot malware adapts to live another day … and another …
- FBI: Who was going around hijacking Barracuda email boxes? China, probably
- 288 arrested in multinational Monopoly Market takedown
And finally, a third order [PDF] allowed law enforcement to seize 20 crypto-coin wallets linked to the Qbot empire.
In addition to seizing $8.6 million in ransomware payments, Operation Duck Hunt also seized 6.5 million credentials that Qakbot operators had also stolen from victims in the US, and "our international partners are identifying many millions more," Estrada said.
Law enforcement is notifying victims of the credential harvesting, and working with folks to help them recover funds stolen by the crooks.
"We believe that this will effectively put Qakbot criminal groups out of business," said Donald Alway, assistant director in charge of the FBI's Los Angeles field office.
The US law enforcement agencies declined to identify any specific individuals behind the Qakbot infrastructure, citing the ongoing investigation, and has yet to make any arrests related to the botnet. ®