Used by Cybercriminals — Why Are Several Countries Collaborating to Take Down Malicious ‘Qakbot’?

Qakbot has afflicted numerous countries in recent years, emerging as one of the most malicious software tools. Efforts were recently rewarded with the announcement by U.S. authorities on August 29, 2023, that an international law enforcement operation succeeded in taking down the notorious Qakbot malware platform, widely used by cybercriminals in financial crimes.

The U.S. Department of Justice stated in a press release that the operation, named Operation Duck Hunt, involved collaboration with the Federal Bureau of Investigation and various countries, including France, Germany, the Netherlands, the United Kingdom, Romania, and Latvia.

This malicious platform, typically spreading its malware through email messages to victims, was first discovered over a decade ago and was responsible for causing losses exceeding $58 million.

Security researchers believe Qakbot initially originated in Russia and targeted organizations worldwide, from Germany to Argentina.

The program is thought to have been used to create botnets, which are interconnected networks of compromised computers used by hackers to disseminate viruses.

This is not the first criminal platform to be taken down through global cooperation.

In April 2023, multiple law enforcement agencies worldwide conducted a series of raids against the Genesis Market platform, resulting in the arrest of 120 individuals in different countries in 200 search and seizure operations.

The closure of the Genesis Market platform, which was one of the most dangerous underground markets for selling user data, was a significant blow to cybercriminals in the virtual world. Europol reported that this platform had exposed the identities of over two million people for sale at the time of its takedown.

Cybersecurity experts have warned that cybercriminals in the virtual world are using increasingly cunning tactics to steal users’ personal data, as reported by Daily Mail.

 

What is Qakbot?

Qakbot is a malicious program with sophisticated capabilities, originally designed as a tool for stealing credentials. In 2021, it was classified as a “banking Trojan” that steals sensitive data and attempts to self-propagate to other systems remotely.

Since its creation in 2008, the Qakbot platform has been used in ransomware attacks and other cybercrimes that resulted in hundreds of millions of dollars in losses for individuals and companies in the United States and beyond, according to technical reports.

However, it was updated by cybercriminals between 2019 and 2022, typically relying on sending suspicious email messages to victims to spread its malicious software.

A report by Cybereason explains that the widely-distributed ransomware variant emerged strongly in its new version in April 2022, targeting companies in the United States, followed by Canada, the United Kingdom, Australia, and New Zealand.

The group, known for employing double extortion tactics, steals sensitive files and information from victims and later uses this data to extort them by threatening to publish it unless a ransom is paid.

Their operation revolves around the concept of a banking Trojan, establishing an initial entry point by infiltrating devices and then moving laterally within an enterprise’s network to steal the financial data of victims, including governments.

The malicious Qakbot software typically infiltrates its victims through deceptive email messages containing malicious links.

It has also been discovered embedded in images or files that, when opened, install the program and then download other malicious software, such as ransomware.

A report published by The Register on August 29, 2023, explains the method of infiltration, stating that Qakbot operates as a malicious bot program that infiltrates the Windows operating system and deceives users through email attachments or malicious Microsoft documents that download and execute the program.

Despite Microsoft patching these vulnerabilities, Qakbot developers managed to find new ones, as reported by CrowdStrike on March 17, 2023.

In a later stage, this malicious program can infiltrate other external servers and communicate with remote servers, instructing them to execute commands. Through this code, it gains access to infected computers, stealing passwords and withdrawing funds from online banking accounts.

The website quoted Donald Alway, Assistant Director in Charge of the Federal Bureau of Investigation’s Los Angeles Field Office, saying that after the recent blow to this malicious program, “We believe that this will effectively put Qakbot criminal groups out of business.”

 

Duck Hunt

Christopher A. Wray, the director of the FBI, announced with a smile the dismantling of the infrastructure of one of the most malicious software tools, Qakbot.

He explained that the robotic software, jokingly referred to by its creators as resembling the sound made by a duck, was taken down in a serious operation conducted by the FBI in collaboration with local and international partners across multiple countries.

As part of the operation, the FBI managed to access the infrastructure of this malicious software, residing within over 700,000 infected computers worldwide, including 200,000 in the United States.

To disable the malicious software, the FBI redirected control of the software to the FBI’s servers.

From there, the FBI issued instructions to those servers to take down the software using other software designed to track it and prevent its installation.

On August 29, 2023, the technical site KrebsOnSecurity reported that it seemed as though the FBI was hacking the hackers.

The site quoted Martin Estrada, the U.S. Attorney for the Southern District of California, as saying during a press conference in Los Angeles, “This is the most significant technological and financial operation ever led by the Department of Justice against a botnet.”

Estrada revealed that Qakbot had been involved in 40 different ransomware attacks over the past 18 months, resulting in a collective loss of over $58 million for the victims.

Researchers at AT&T Alien Labs, a research lab, reported that the scammers behind Qakbot had rented the software to various groups of internet criminals over the years.

Recently, Qakbot had been closely linked to ransomware attacks by Black Basta, a major Russian criminal group believed to have split from the Conti ransomware gang in early 2022.

“The FBI led a worldwide joint, sequenced operation that crippled one of the longest-running cybercriminal botnets,” said FBI Director Christopher Wray. “With our federal and international partners, we will continue to systematically target every part of cybercriminal organizations, their facilitators, and their money — including by disrupting and dismantling their ability to use illicit infrastructure to attack us. Today’s success is yet another demonstration of how FBI’s capabilities and strategy are hitting cyber criminals hard, and making the American people safer.”

As part of the operation, various agencies seized 52 server devices in the United States and abroad.

This action against electronic hackers came after Meta revealed connections between Chinese law enforcement agencies and a long-running pro-China propaganda campaign that was largely ineffective, using annoying email messages.

The company, which owns platforms like Facebook, WhatsApp, and Instagram, stated that it had deleted approximately 7,700 accounts linked to the campaign, which had been active since 2018.

The network engaged in bursts of activity over the years, pushing positive narratives about China and negative comments about the United States and Western foreign policies and critics of the Chinese government.

The account groups were operated from different regions in China, but they shared the same digital infrastructure and appeared to work in distinct work patterns, including lunch and dinner breaks in Beijing time.

This isn’t the first time that the U.S. government has used court orders to remotely cleanse compromised systems of malware.

In April 2022, the Department of Justice quietly removed malware from computers infected with the Snake malware worldwide.

This malware is an older model of malicious software believed to be an intelligence arm of the Russian military, according to KrebsOnSecurity.