Qakbot malware uninstalled from 700k PCs following successful FBI operation

The infrastructure has been seized, and malware removed from infected Windows devices

FBI seized Qakbot infrastructure and disrupted malware operations

In a monumental effort against cybercrime, the FBI recently announced the dismantling of the Qakbot malware network. The operation, code-named “Operation Duck Hunt,” was carried out in collaboration with law enforcement agencies from France, Germany, the Netherlands, Romania, Latvia, and the United Kingdom.

The FBI successfully identified over 700,000 infected computers globally, with more than 200,000 located in the United States. This operation marks the largest U.S.-led financial and technical disruption of a botnet infrastructure.

Qakbot, also known as Qbot or Pinkslipbot, was first detected in 2008. Initially operating as a banking trojan, it evolved over time into a versatile malware delivery service. The malware infiltrated computers mainly through phishing emails containing malicious links or attachments.

Once installed, it injected itself into the memory of legitimate Windows processes to avoid detection. The botnet, made up of all infected computers, was then used to facilitate various kinds of cybercrime, including ransomware attacks, financial fraud, and data theft.

Through collaborations with ransomware gangs like Conti, ProLock,[1] and REvil, Qakbot operators amassed an estimated $58 million from October 2021 to April 2023. The malware had a particularly devastating impact on various sectors, including healthcare, government agencies, and financial services. Some of the identified victims include a power engineering firm in Illinois, defense manufacturers in Maryland, and a food distribution company in Southern California.

How the FBI disrupted Qakbot

The FBI's countermeasure involved gaining lawful access to Qakbot’s infrastructure and redirecting the malware's traffic to FBI-controlled servers. These servers pushed a specially crafted uninstaller to all infected machines. This action severed the infected computers from the Qakbot network, thereby preventing any further malware installations.

To facilitate this, the FBI mapped out the botnet’s server architecture, which was divided into Tier-1, Tier-2, and Tier-3 servers. Using encryption keys, the FBI locked Qakbot operators out of their own infrastructure by replacing existing Qakbot “supernode” modules on the Tier-1 servers with modules controlled by law enforcement.

The FBI then deployed a custom Windows DLL file that issued a shutdown command to the Qakbot malware running on infected devices, effectively neutralizing the threat.[2]

Outcomes and future implications

During the operation, the FBI also seized 52 servers and more than $8.6 million in cryptocurrency from the Qakbot cybercriminal organization.[3] This will be redistributed to the victims. In addition, the FBI recovered the stolen credentials of more than 6.5 million victims and shared this information with the Dutch National Police and the “Have I Been Pwned” database.

The operation's success underscores the value of international cooperation in tackling global cybersecurity threats. However, it's important to note that no arrests have been made so far, and there is a possibility that Qakbot operators may attempt to rebuild their infrastructure in the coming months.

The U.S. State Department’s Rewards for Justice program has announced rewards of up to $10 million for information leading to the identification of Qakbot operators, signaling the ongoing nature of this investigation:[4]

Rewards for Justice is offering a reward of up to $10 million for information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, participates in malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA).

As of now, no arrests have been made, and it is possible that the operators may try to rebuild their infrastructure. Despite this, Operation Duck Hunt has dealt a significant blow to one of the longest-running and most harmful botnets. These successes demonstrate that collaborative international efforts can yield substantial results in mitigating the impact of cyber threats.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions