October 1, 2023
QakBot Malware

A coordinated legislation enforcement effort codenamed Operation Duck Hunt has felled QakBot, a infamous Home windows malware household that is estimated to have compromised over 700,000 computer systems globally and facilitated monetary fraud in addition to ransomware.

To that finish, the U.S. Justice Division (DoJ) said the malware is “being deleted from sufferer computer systems, stopping it from doing any extra hurt,” including it seized greater than $8.6 million in cryptocurrency in illicit income.

The cross-border train concerned the participation of France, Germany, Latvia, Romania, the Netherlands, the U.Ok., and the U.S., alongside technical help from cybersecurity firm Zscaler.

The dismantling has been hailed as “the biggest U.S.-led monetary and technical disruption of a botnet infrastructure leveraged by cybercriminals.” No arrests had been introduced.

QakBot, also referred to as QBot and Pinkslipbot, began its life as a banking trojan in 2007 earlier than morphing right into a general-purpose Swiss Military knife that acts as a distribution heart for malicious code on contaminated machines, together with ransomware, unbeknownst to the victims.


A number of the major ransomware families propagated by means of QakBot comprise Conti, ProLock, Egregor, REvil, MegaCortex, and Black Basta. QakBot directors are mentioned to have acquired charges equivalent to roughly $58 million in ransoms paid by victims between October 2021 and April 2023.

“QakBot was a key enabler inside the cyber crime ecosystem, facilitating ransomware assaults and different critical threats,” Will Lyne, head of cyber intelligence on the U.Ok.’s Nationwide Crime Company (NCA), said in a press release.

The counteroffensive towards QakBot follows an analogous takedown of Emotet in October 2020, which has since resurfaced following a significant disruption to its backend infrastructure.

Usually distributed through phishing emails, the modular malware additionally comes fitted with command execution and data harvesting capabilities. It has seen fixed updates throughout its lifetime, with the actors (codenamed Gold Lagoon or Mallard Spider) identified to take prolonged breaks every summer time earlier than resuming their spamming campaigns.

“The sufferer computer systems contaminated with QakBot malware are a part of a botnet (a community of compromised computer systems), that means the perpetrators can remotely management all of the contaminated computer systems in a coordinated method,” the DoJ mentioned.

The joint effort, in response to court docket paperwork, enabled entry to QakBot infrastructure, thereby making it doable to redirect the botnet visitors to and thru servers managed by the U.S. Federal Bureau of Investigation (FBI) with the last word purpose of neutralizing the “far-reaching felony provide chain.”

Particularly, the servers instructed the compromised endpoints to obtain an uninstaller file that is designed to untether the machines from the QakBot botnet, successfully stopping extra payloads from being delivered.

Secureworks Counter Risk Unit (CTU) said it detected the botnet distributing shellcode to contaminated gadgets on August 25, 2023, which “unpacks a customized DLL (dynamic-link library) executable that comprises code that may cleanly terminate the operating QakBot course of on the host” via a QPCMD_BOT_SHUTDOWN command.

“The victims [in the U.S.] ranged from monetary establishments on the East Coast to a vital infrastructure authorities contractor within the Midwest to a medical machine producer on the West Coast,” FBI Director Christopher Wray said.


QakBot has demonstrated a better degree of complexity over time, quickly shifting its ways in response to new safety guardrails. As an example, after Microsoft disabled macros by default in all Workplace functions, it started abusing OneNote information as an infection vector earlier this yr.

The sophistication and adaptableness can be evident within the operators’ means to weaponize a variety of file codecs (e.g., PDF, HTML, and ZIP) in its assault chains. A majority of QakBot’s command-and-control (C2) servers are concentrated within the U.S., the U.Ok., India, Canada, and France (FR). Its backend infrastructure is situated in Russia.

QakBot, like Emotet and IcedID, employs a three-tiered system of servers to manage and talk with the malware put in on contaminated computer systems. The first objective of the Tier 1 and Tier 2 servers is to ahead communications containing encrypted knowledge between QakBot-infected computer systems and the Tier 3 server which controls the botnet.

“QakBot is a extremely refined banking trojan malware, strategically concentrating on companies throughout completely different nations,” Zscaler researchers noted in an exhaustive evaluation printed in late July 2023.

“This elusive risk employs a number of file codecs and obfuscation strategies inside its assault chain, enabling it to evade detection from standard antivirus engines. Via its experimentation with various assault chains, it turns into evident that the risk actor behind QakBot is constantly refining its methods.”

QakBot has additionally been one of the crucial energetic malware households within the second quarter of 2023, per HP Wolf Security, leveraging as many as 18 distinctive assault chains and clocking 56 campaigns over the time interval, underscoring the e-crime group’s penchant for “rapidly permuting their tradecraft to take advantage of gaps in community defenses.”

Discovered this text fascinating? Comply with us on Twitter and LinkedIn to learn extra unique content material we publish.