FBI Dismantles Qakbot Botnet, Preventing Ransomware Attacks

In a significant global law enforcement effort, the FBI, in collaboration with international partners, successfully dismantled the infamous Qakbot botnet. This operation, codenamed “Operation Duck Hunt,” marked a pivotal moment as it disrupted what had been the largest U.S.-led financial and technical disruption of a botnet infrastructure.

Qakbot, a notorious banking trojan, had gained notoriety for providing cybercriminals with a foothold on victims’ networks, allowing them to execute various malicious activities, including deploying ransomware. Over the past 18 months alone, Qakbot was linked to more than 40 ransomware attacks, resulting in approximately $58 million in ransom payments.

Operation Duck Hunt unfolded as a coordinated effort between the FBI and its global partners, resulting in the seizure of Qakbot’s infrastructure located in both the United States and Europe. The U.S. Department of Justice, in conjunction with the FBI, also announced the confiscation of over $8.6 million in cryptocurrency from the Qakbot cybercriminal organization, with plans to provide restitution to the victims.

The FBI’s operation involved redirecting the botnet’s network traffic to servers under U.S. government control, granting them the authority to take command of the botnet. Utilizing this access, the FBI orchestrated the download of an FBI-designed uninstaller onto Qakbot-infected machines worldwide. This uninstaller effectively severed the victim’s computer from the botnet, rendering it immune to further malware installations through Qakbot.

As of June, the FBI’s operation had identified approximately 700,000 devices infected with Qakbot, with more than 200,000 of these located within the United States. In a press briefing, a senior FBI official hinted that the total number of Qakbot victims likely numbered in the millions.

Here’s a breakdown of how Operation Duck Hunt was executed:

Operation Details:

To initiate the operation, the FBI obtained access to the servers hosting the Qakbot botnet infrastructure, which were hosted by an undisclosed web hosting company. This included servers utilized by the Qakbot administrators themselves. The FBI also secured a court order preventing the web host from notifying its customers or the Qakbot administrators.

Among the systems accessed were Qakbot’s virtual machines used for testing malware samples against popular antivirus software. Additionally, the FBI identified Qakbot servers used for running phishing campaigns disguised as emails related to former U.S. presidents. These political-themed emails were designed to increase the likelihood of being opened by recipients. The FBI also identified Qakbot wallets containing stolen cryptocurrency.

The FBI’s comprehensive understanding of the Qakbot botnet’s structure and functionality enabled them to develop a method for identifying infected computers, collecting information about the infections, and effectively isolating them from the Qakbot botnet. This disconnection prevented the Qakbot administrators from further communicating with the compromised machines.

Qakbot employs a network of tiered systems, referred to as Tier 1, Tier 2, and Tier 3, to manage the malware installed on infected computers worldwide. Tier 1 systems, many of which were situated in the United States, were ordinary home or business computers infected with Qakbot, enhanced with a “supernode” module linking them to the botnet’s international control infrastructure. These Tier 1 computers communicated with Tier 2 systems, which acted as proxies to conceal the main Tier 3 command and control server, used by the administrators to issue encrypted commands to the infected machines.

By gaining access to these systems and acquiring knowledge of Qakbot’s encryption keys, the FBI could decipher and comprehend the encrypted commands. With this information, the FBI instructed the Tier 1 “supernode” computers to replace the supernode module with a new one developed by the FBI, containing new encryption keys that effectively locked out the Qakbot administrators from their own infrastructure.

The process unfolded as follows:

On August 25 at 7:27 p.m. in Washington, DC, the FBI initiated the delivery of its module.
The FBI directed the Tier 1 computers to communicate with a server under their control instead of Qakbot’s Tier 2 servers.
Every one to four minutes, when a Qakbot-infected computer checked in with its servers, it automatically connected to the FBI’s server.
The FBI’s server then prompted the infected computer to download an uninstaller that removed the Qakbot malware entirely. This uninstaller was subsequently uploaded to VirusTotal, an online malware and virus scanner operated by Google.
While the uninstaller removed Qakbot, it did not address other malware delivered by Qakbot. However, it effectively blocked any further Qakbot infections.
The FBI emphasized that its server would not capture content from the infected computers except for their IP addresses and associated routing information, which would enable the FBI to contact Qakbot victims.

This operation adds to the FBI’s track record of successful takedowns of cyber threats in recent years, highlighting their commitment to protecting the digital landscape from criminal actors. In previous operations, the FBI eliminated backdoors planted by Chinese hackers in hacked Microsoft Exchange email servers and disrupted Russian spy-operated botnets responsible for launching crippling cyberattacks.