FBI's QakBot Takedown Raises Questions: 'Dismantled' or Just a Temporary Setback?

Written by

The FBI declared a resounding victory in its battle against the notorious QakBot, a 15-year-old bank Trojan that evolved into a favored weapon for ransomware gangs. Under Operation Duck Hunt, the takedown formed part of the largest multinational law enforcement operation against cybercrime.

While the cybersecurity community has generally praised Operation Duck Hunt, voices quickly started to doubt the real impact of the takedown.

Vx-underground, a malware source code collection whose account on X (formerly Twitter) is followed by over 225,000 people, posted on August 31: “Unpopular opinion: While the FBI has successfully 'dismantled' QakBot, the reality of the situation is that the individuals behind this group have not been arrested and still maintain the source code. It has substantially damaged their operations, but they will come back.”

This position is shared by several security researchers, who have been tracking QakBot (aka QBot, Quackbot and Pinkslipbot) for many years.

Operation Duck Hunt, a Success? Absolutely, But…

Despite some skepticism emerging, almost all cybersecurity professionals who have commented on the law enforcement operation hailed it a success.

On X, Vx-underground later clarified that the operation “was a devastating blow to QakBots operations.”

Speaking with Infosecurity, Don Smith, VP of threat intelligence at the Secureworks Counter Threat Unit (CTU), said the removal of this significant adversary’s infrastructure “is to be welcomed.”

Global heatmap of QakBot detection in the first quarter of 2023. Source: Trellix
Global heatmap of QakBot detection in the first quarter of 2023. Source: Trellix

Roger Grimes, a data-driven defense evangelist at cyber awareness training firm KnowBe4, called it “wonderful news” and praised the FBI for not only taking down the QakBot infrastructure but also removing it from infected computers.

“This sort of proactive cleaning up used to be rare and often contested, even by many cybersecurity experts. If not done correctly, the removal could go badly wrong. […] I'm glad the FBI and its partners have decided proactive clean-up was worth the risk. It improves not only the lives of the exploited people and organizations with QakBot installed, but the next innocent victims,” he told Infosecurity.

"Without arrests, the human capability of the botnet remains."Alex Holland, HP Wolf

Ricardo Villadiego, CEO of cybersecurity firm Lumu, was impressed by the scale of the operation however he criticized the timeline.

“It took a lot of time to manage this kind of breakthrough initiative. QakBot started out in 2008 as a banking Trojan, then added credential harvesting capabilities, then powerful evasion features, which made it the top malware loader in the ransomware economy over the past two years. I would like this kind of operation to happen months, if not weeks, after such malicious software appears, not years.”

A second caveat to the operation’s success is that no one was arrested.

Villadiego told Infosecurity, “I’m really happy that the FBI is now focusing heavily on taking down cybercriminals’ infrastructure, and I understand that arresting cybercriminals is difficult, if not impossible, as most of them are located in countries out of the Bureau’s reach. Nevertheless, it’s very probable that the people behind QakBot will thus continue their malicious activities in other shapes or forms.”

Alex Holland, a senior malware analyst at HP Wolf Security, agreed. “As there have been no arrests, there’s little to stop those behind it from setting up a new botnet. Given QakBot’s size, it’s likely there were many people involved in developing and running it. Without arrests, the human capability of the botnet remains.”

This is a trend we are beginning to see following the collapse of cybercriminal enterprises. For example, BlackBasta, a ransomware group that has used the QakBot malware loader the most over the last few months, is recognized by the cybersecurity community as being composed of former members of the Conti group. The Conti gang itself had imploded in 2022 following the outbreak of the war in Ukraine and a massive leak of the members’ communications.

QakBot’s Infrastructure, Fully Dismantled? Not Quite

Another concern is whether the FBI and its partners took down the entirety of the QakBot infrastructure or just a part of it.

According to Chris Morgan, a senior cyber threat intelligence analyst on the ReliaQuest Threat Research Team, while the FBI revealed they took down 52 QakBot servers there are still many unknowns.

“As is usually the case with this sort of operation, it’s not quite clear whether the 52 servers represent the whole QakBot infrastructure. I think the idea is to report on how successful the operation has been, but not necessarily overshare on the details,” he said.

Lumu’s Villadiego is convinced the FBI only took down a part of the QakBot infrastructure.

Meanwhile, Yelisey Bohuslavskiy, a partner at threat prevention provider Red Sense, explained on LinkedIn why he thinks Operation Duck Hunt only took down the infrastructure of the QakBot loader but not necessarily of QakBot the Trojan.

“QBot was developed as a trojan malware but later transitioned into a loader-as-a-service (LaaS). By late 2020, amidst the surge of ransomware, this LaaS function took precedence, propelling QBot to a leading position in the botnet ecosystem, allying them with REvil, Conti, and many others. Yet, its crimeware trojan functionality persisted. From details about the ‘Duck Hunt’ operation, it seems the segment of QBot's infrastructure taken down was QB-crimeware rather than the ransomware/LaaS component.”

Three elements revealed about Operation Duck Hunt made him draw this conclusion:

  • The 700,00 infected devices reported by the FBI is a relatively low count for a LaaS, according to Bohuslavskiy. For perspective, Emotet, at its peak in 2022, reported nearly double that number, and close to 10 million during its most active phases. At the same time, 700,000 is an impressive count for a trojan-based operation.”
  • The dominance of non-US infections – only 200,00 of the 700,000 victims identified by the FBI were located in the US – is more typical of trojans than LaaS operations.
  • The confiscated $8.6 million in cryptocurrency aligns more with the scale of crimeware than the LaaS/Ransomware operations, which usually deal with much larger sums, according to Bohuslavskiy.

In total, Operation Duck Hunt investigators have found evidence that, between October 2021 and April 2023, victims paid QakBot administrators approximately $58m in ransoms.

A Decrease in Ransomware Activity? Maybe in the Short Term

Given the prominence of the QakBot malware loader over the past few months, Villadiego, Holland and Morgan believe the operation will likely result in a short-term drop in ransomware activity.

QakBot infection rate. Source: Trellix
QakBot infection rate. Source: Trellix

“QBot is used by a number of really high-profile ransomware groups as a primary method of getting on to targeted networks, so I think it will have a significant short-term impact in the next one to three months of those groups’ activity,” ReliaQuest’s Morgan said.

However, he added that this outcome would also depend on how key the infrastructure taken down was for QakBot. “If the infrastructure hasn’t been totally taken down, there is a possibility that we actually see an uptick in activity from QBot.”

"It's unlikely this is the last we will see of QakBot."Alex Holland, HP Wolf

The experts are also confident that ransomware groups favoring QakBot will find another way to conduct business, either by moving on to another malware loader or another method for gaining initial access.

“Email spam is one of the top ways threat actors access networks in human-operated ransomware attacks. But there are other means of compromising systems, like exploiting vulnerabilities in Internet-facing software and compromising remote access services,” Holland said.

Once again, the case of Emotet is instructive.

“After law enforcement disrupted the Emotet botnet in January 2021, a gap was left in the cybercrime market for delivering other people’s malware at scale. QakBot grew to meet this demand, becoming the most popular loader. It’s likely we will see a similar dynamic play out here. If so, there will be a lull in activity, followed by the emergence of other loaders competing to meet the demand left by QakBot,” explained Holland.

The End of QakBot? Not Yet

Lumu was still observing activity linked with the QakBot infrastructure, Villadiego told Infosecurity at the time of writing. It is not yet clear if this is because there are still victims who are yet to download the uninstaller provided by the FBI.  

“It’s too early to draw conclusions at this point; we will start to have more precise answers from the end of 2023,” he said.

However, he and other cybersecurity experts who spoke with Infosecurity agreed with Vx-Underground that, however successful, the law enforcement operation did not put an end to QakBot administrators’ activities.

“Although I need to call out how successful the operation has been, I would certainly not go as far as saying it’s the end of QakBot,” Morgan admitted.

“It’s unlikely this is the last we will see of QakBot, but it is a massive blow to their operations,” Holland confirmed.

Features in the QakBot malware loader could be reused, either because some of the actors using QakBot will repurpose and combine them with other loaders’ functionalities or because the QakBot makers will sell parts of their source code.

Read more: Emotet Disrupted Through Global Action

Also, Villadiego insisted that people with devices infected with QakBot, even the ones who downloaded the FBI uninstaller, could still be vulnerable.

“First, QakBot included the capability to self-propagate, meaning the malicious code could be hidden in other parts of a victim’s network,” he explained. “Second, as a malware loader, QakBot was primarily used to install other pieces of malicious software, which the uninstaller will not remove. Victims must conduct comprehensive forensic work to ensure their network has not already been compromised by a dormant piece of ransomware, for instance.”

As for the people behind QakBot, although they are still in the wild, Holland is hopeful that Operation Duck Hunt may lead to their arrests in the future because of the trove of evidence collected during the operation.

What’s hot on Infosecurity Magazine?