FBI-Led Operation Duck Hunt Shuts Down QakBot Malware

Written by

The FBI has led a multinational law enforcement operation that has successfully dismantled QakBot, a leading malware loader used by cybercriminals to deploy ransomware.

As part of Operation Duck Hunt, the FBI gained access to QakBot’s admin computers, which helped law enforcement map out the server infrastructure used in the botnet's operation.

It then seized 52 servers, which it said would “permanently dismantle” the botnet, and redirected QakBot’s traffic to servers controlled by the Bureau, pointing victims to download an uninstaller.

In an announcement, the US Department of Justice (DoJ) said the FBI had identified more than 700,000 infected computers worldwide, including more than 200,000 in the US.

The DoJ also announced it seized over $8.6m in cryptocurrency from the QakBot cybercriminal organization. This money will be returned to the victims.

Largest US-Led Dismantling Operation of a Cybercriminal’s Botnet Infrastructure

The operation was carried out in partnership with law enforcement agencies in France, Germany, the Netherlands, Romania, Latvia and the UK. The technical partners also include the US Cybersecurity and Infrastructure Security Agency (CISA), Shadowserver, Microsoft Digital Crimes Unit, and the National Cyber Forensics and Training Alliance (NCFTA). Have I Been Pwned and Zscaler also stepped in to aid in victim notification and remediation. 

It is described as “the largest US-led financial and technical disruption of a botnet infrastructure leveraged by cybercriminals to commit ransomware, financial fraud, and other cyber-enabled criminal activity.”

Donald Alway, the Assistant Director in Charge of the FBI’s Los Angeles Field Office, said in a statement: “The Operation ‘Duck Hunt’ Team utilized their expertise in science and technology, but also relied on their ingenuity and passion to identify and cripple QakBot, a highly structured and multi-layered bot network that was literally feeding the global cybercrime supply chain. These actions will prevent an untold number of cyberattacks at all levels, from the compromised personal computer to a catastrophic attack on our critical infrastructure."

QakBot, Top Malware Loader in 2023

QakBot, also known as Quackbot, QBot and Pinkslipbot, started as a banking trojan in 2008 used to steal banking credentials, website cookies, and credit cards to conduct financial fraud.

Over time, it evolved into a malware delivery service utilized by other threat actors to gain initial access to networks for conducting ransomware attacks, data theft, and other malicious cyber activities.

It primarily infects victim computers through spam email messages containing malicious attachments or hyperlinks. Once it has infected a victim's computer, QakBot can deliver additional malware, including ransomware, to the infected computer. The ransomware actors then extort their victims, seeking ransom payments in bitcoin before returning access to the victim's computer networks.

It has been used as an initial means of infection by many prolific ransomware groups in recent years, including Conti, ProLock, Egregor, REvil, MegaCortex, and BlackBasta.

QakBot was recently identified as the top malware loader used in the first half of 2023 by both HP Wolf and ReliaQuest.

Operation Duck Hunt investigators have found evidence that, between October 2021 and April 2023, QakBot administrators received fees corresponding to approximately $58m in ransoms paid by victims.

The scope of this law enforcement action was limited to information installed on the victim's computers by the QakBot actors. It did not extend to remediating other malware already installed on the victim computers and did not involve access to or modification of the information of the owners and users of the infected computers.

Praised from the Cybersecurity Community

Many cybersecurity professionals across the world lauded the operation.

Don Smith, VP of threat intelligence at the Secureworks Counter Threat Unit (CTU) – which observed 10000 infected machines in 153 countries connected to the QakBot botnet servers – said the removal of this “significant adversary’s [infrastructure] is to be welcomed.”

Roger Grimes, data-driven defense evangelist at cyber awareness training firm KnowBe4, called it “wonderful news” and praised the FBI for being able to not only take down the QakBot infrastructure but also remove it from infected computers.

“This sort of proactive cleaning up used to be rare and often contested, even by many cybersecurity experts. If not done correctly, the removal could go badly wrong. There have been many instances, before the FBI got involved, where well-meaning people trying to do proactive clean-up made the situation worse. But the FBI and its technical partners appear to be doing the clean-up right, with minimal legitimate operational impact. I'm glad the FBI and its partners have decided proactive clean-up was worth the risk. It improves not only the lives of the exploited people and organizations who have QakBot installed, but the next innocent victims,” he said.

Jess Parnell, VP of security operations at Centripetal, said the operation showed “that no cyber threat is too small to pay attention to. Some might think that a simple spam email or SMS message is harmless, but as we are constantly seeing organizations all over the globe are getting hit daily by major cyber-attacks that are oftentimes disguised as something else. The dismantling of the QakBot infrastructure serves as a stark reminder that cyber threats are persistent and evolving.”

What’s hot on Infosecurity Magazine?