Operation Duck Hunt bags Qakbot.
N2K logoAug 29, 2023

A multinational law enforcement action dismantled the criminal infrastructure that sustained Qakbot.

Operation Duck Hunt bags Qakbot.

Today the US Justice Department announced the takedown of the Qakbot botnet. Led by the US FBI, it was a multinational action with participation by France, Germany, the Netherlands, Romania, Latvia, and the United Kingdom. The basic approach the agencies followed was first, to obtain lawful access to the infrastructure and redirect traffic to servers the Bureau controlled. Any computer redirected to the server received an uninstaller file that removed the Qakbot malware.

Qakbot served many criminal masters...

The US Attorney for the Central District of California explained Qakbot's place in the criminal economy. "According to court documents, Qakbot, also known by various other names, including 'Qbot' and 'Pinkslipbot,' is controlled by a cybercriminal organization and used to target critical industries worldwide. The Qakbot malware primarily infects victim computers through spam email messages containing malicious attachments or hyperlinks. Once it has infected a victim computer, Qakbot can deliver additional malware, including ransomware, to the infected computer. Qakbot has been used as an initial means of infection by many prolific ransomware groups in recent years, including Conti, ProLock, Egregor, REvil, MegaCortex, and Black Basta. The ransomware actors then extort their victims, seeking ransom payments in bitcoin before returning access to the victim computer networks."

FBI Director Wray commented, "This botnet provided cybercriminals like these with a command-and-control infrastructure consisting of hundreds of thousands of computers used to carry out attacks against individuals and businesses all around the globe."

Don Smith, VP of Threat Intelligence at the Secureworks Counter Threat Unit (CTU), concurred with that assessment. “Qakbot was a significant adversary that represented a serious threat to businesses around the world. Engineered for eCrime, Qakbot infections led to the deployment of some of the most sophisticated and damaging ransomware. Qakbot has evolved over the years to become a flexible part of the criminal’s arsenal. Its removal is to be welcomed.”

...but Qakbot amounted to privateers' infrastructure.

Qakbot's operators are based in Russia. That explains the lack of arrests in this case, and it also explains why Qakbot was able to operate with impunity. It was tolerated and probably enabled by the Russian authorities. Cooperation with criminal organizations is commonplace among Russian security and intelligence services. They're left free to operate as long as the victims aren't Russian, or as long as their crimes abroad don't harm Russian interests.

SecureWorks researchers call the group that operated Qakbot "the financially motivated GOLD LAGOON threat group." The botnet malware itself has been in action since 2007. It has a modular structure that supports a variety of activities, but it's been especially useful for ransomware attacks. They watched the FBI-led takedown in realtime. "At 11:27 UTC on August 25, CTU(TM) researchers detected the Qakbot botnet distributing shellcode to infected devices. The shellcode unpacks a custom DLL (dynamic link library) executable that contains code that can cleanly terminate the running Qakbot process on the host. The DLL uses a clever method that involves sending a QPCMD_BOT_SHUTDOWN instruction via a named pipe that Qakbot uses to send and receive messages between processes on the host. Qakbot pipe names are generated using a pseudorandom algorithm that the DLL uses to generate the correct name for the system it is running on. The DLL then calls CallNamedPipeA and sends the QPCMD_BOT_SHUTDOWN instruction to the pipe."

They watched GOLD LAGOON's infrastructure become unresponsive. "These robust efforts should reduce the number of infected hosts and hinder GOLD LAGOON's attempts to regain control of the botnet."

How Qakbot operated.

Secureworks emailed an overview of what they've observed with respect to Qakbot recently, while the botnet was in its salad days. It was global in scope. "We observed 10,000 infected machines in 153 countries connecting to the C2 server over a 4-month period." About 5000 of the infected machines were connected to a domain, and thus can be inferred to have resided in business environments. The business infestations were probably of greater interest to the criminals. The US, Germany, and China represented the three most targeted countries.

"Qakbot’s backend infrastructure is located in Russia and has been for two and a half years," and that is, as RT or TASS might put it, no accident. The Emotet botnet was disrupted in January of 2021 by an international law enforcement operation. "Prior to this operation the Qakbot backend had been hosted in a variety of geographies (US, the Netherlands, Germany, and Russia). Within 24hours of the Emotet operation the Qakbot operators moved their backend infrastructure to Russia where it has remained ever since."

Qakbot organized its operations into named campaigns. Secureworks tracked three of these: "BB," "Obama," and "Snow." BB infected 1915 devices, Obama 705, and Snow 899. BB and Obama targeted devices in North America and Western Europe. Snow went after victims in Southeast Asia and South America. "The top ten countries in this campaign were Brazil, Vietnam, India, Pakistan, Thailand, Mexico, Bangladesh, Colombia, Peru, and Argentina." This indicates an ability to target on the basis of Qakbot's customers' requirements.

Public and private sector partners in the takedown.

The US Attorney for the Central District of California enumerated the interagency, international, and private sector partners who cooperated in Operation Duck Hunt. "Valuable technical assistance was provided by Zscaler. The FBI has partnered with the Cybersecurity and Infrastructure Security Agency, Shadowserver, Microsoft Digital Crimes Unit, the National Cyber Forensics and Training Alliance, and Have I Been Pwned to aid in victim notification and remediation." The announcement added, "The FBI Los Angeles Field Office, the U.S. Attorney’s Office for the Central District of California, and the Criminal Division’s Computer Crime and Intellectual Property Section (CCIPS) conducted the operation in close cooperation with Eurojust. Investigators and prosecutors from several jurisdictions provided crucial assistance, including Europol, French Police Cybercrime Central Bureau and the Cybercrime Section of the Paris Prosecution Office, Germany’s Federal Criminal Police and General Public Prosecutor’s Office Frankfurt/Main, Netherlands National Police and National Public Prosecution Office, the United Kingdom’s National Crime Agency, Romania’s National Police, and Latvia’s State Police. The Justice Department’s Office of International Affairs and the FBI Milwaukee Field Office provided significant assistance."

What it took to organize the takedown, and what can be expected in the future.

Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, thoroughly approved of the operation. "I applaud the FBI and its partners across the globe," he wrote. "Wonderful news!" While this kind of international cooperation has grown more common, they're not trivial to organize and carry off successfully. "It takes lots of technical and legal talent. It was great to hear that the FBI had taken over at least one of the criminal servers and used it to redirect exploited nodes to a safer server where the FBI tried to automatically uninstall Qakbot on impacted computers. This sort of proactive cleaning up used to be rare and often contested, even by many cybersecurity experts. If not done correctly, the removal could go badly wrong. There have been many instances, before the FBI got involved, where well-meaning people trying to do proactive clean-up made the situation worse. But the FBI and its technical partners appear to be doing the clean-up right, with minimal legitimate operational impact. I'm glad the FBI and its partners have decided proactive cleanup was worth the risk. It improves not only the exploited people and organizations who have Qakbot installed, but the next innocent victims." So, advice to any would-be vigilantes: leave this sort of takedown to organizations like the FBI and its partners.

Another expert commented on hack-back aspects of the takedown. Ken Westin, Field CISO at Panther Labs, wrote, "It is interesting the FBI essentially deployed something that almost resembles 'hacking back' to redirect traffic to their servers and ran a script to uninstall the malware on remote systems. It is rare that law enforcement would deploy such measures as there are potential risks of executing commands on remote systems, however, the risk may have been minimal in this case given the threat posed by Qakbot to networks and critical infrastructure. It will be interesting to learn more about the legal case for when such activities can be taken to execute scripts on remote systems when dealing with malware and threats to national security." Again, not something for vigilantes.

Other industry experts agree that the botnet's been dealt a serious setback, but that its masters may be heard from again. Chester Wisniewski, Field CTO of Applied Research at Sophos, said, “Disrupting the Qakbot botnet of more than 700,000 victim computers is a great accomplishment for the FBI and their partners and will impose significant inconvenience on the botnet's operators and dependent criminal groups." It isn't, however, necessarily the end of Qakbot. "Sadly this will not stop Qakbot's masters from reconstituting it and continuing to profit from our security failures. Any time we can raise the cost for criminals to operate their schemes we must take advantage of those opportunities, but this doesn't mean we can rest on our laurels, we must continue to work to identify those responsible and hold them accountable to truly disable their operations.” That is, let's see the hoods arrested and prosecuted.

Max Gannon, Senior Cyber Threat Intelligence Analyst at Cofense, is another who applauds Operation Duck Hunt. He also laments the (in this case unavoidable) absence of arrests. "This was a major step for the FBI and Justice Department to take and I certainly think it will have a significant impact on the threat actors behind QakBot. While this action was able to protect a huge number of victims that were already infected, it was not paired with arrests which are what most often leads to threat actors ceasing or at least temporarily halting operations. Because it was not paired with arrests I do not believe this will be the end of QakBot or at the very least it won't be the end of the threat actors behind QakBot. Because of the huge blow to the botnet's infrastructure, I expect that the threat actors will either take a very long time to return or they will pivot to other existing botnet projects."

John Hammond, Principal Security Researcher at Huntress, wrote that “This is phenomenal news and incredible strides for our industry. There's no better word for it, it is just awesome to see the international collaboration and a huge effort that makes a massive impact to not only the Qakbot botnet strain but also the ransomware syndicates that make use of it." He added, "Historically, Huntress has seen firsthand an egregious amount of Qakbot infections, running rampant across the MSP/SMB space, so much so that the wider MSP community took note and we worked to address it. With that said, none of our past work compares to the monumental effort by FBI Los Angeles and the partnered agencies -- they shared a great message that it is the work that we do together that successfully combats today's threats. In my mind, this is another great foundation for our industry's need to defend forward and bring the fight to cybercrime on a global scale.”

(Added, 12:15 PM ET, August 30th, 2023.)

Austin Berglas, Global Head of Professional Services at BlueVoyant and former FBI Cyber Division Special Agent, sees the coordination of a complex international operation as a very heartening development. "The complete dismantlement of the Quakbot operation's infrastructure and the ability to coordinate a major global operation with international partners is the real success story." And, like others, he notes that the next step--arrests--is the hardest one. "Identifying and arresting the individuals responsible is the next, and often most difficult chapter in the investigation. The FBI's willingness to undertake multi-year, complex, global investigations is the reason why today, so many thousands of victims are no longer unwitting members of a massive botnet of infected computers. This is not the first time the FBI conducted remote operations at scale against international criminal groups. In 2011, the FBI and partners dismantled and arrested six Estonian nationals who were responsible for running the Rove criminal enterprise. In Operation Ghost Click, this criminal group used malware that was used to infect approximately 4 million computers globally and redirected them to rogue servers allowing them to control the computers, direct them to fraudulent websites, and generate millions of dollars in fraudulent advertising fees. After a complex investigation, the FBI obtained court orders authorizing them to deploy and maintain clean servers, redirect victim computers and ensure that the millions of victims did not lose internet connectivity."

Jess Parnell, VP of security operations at threat intelligence firm Centripetal, points out that big attacks can look like small matters. “This worldwide attack shows that no cyberthreat is too small to pay attention to. Some might think that a simple spam email or SMS message is harmless but, as we are constantly seeing, organizations all over the globe are getting hit daily by major cyberattacks that are oftentimes disguised as something else. The dismantling of the QakBot infrastructure serves as a stark reminder that cyberthreats are persistent and evolving. Implementing a comprehensive cybersecurity strategy, supported by intelligence-powered tools and proactive measures, is essential for organizations to maintain a healthy cybersecurity posture and effectively safeguard their sensitive data and digital assets. By staying informed, proactive, and collaborative, organizations can significantly reduce their risk of falling victim to cyberattacks.”

(Added, 4:00 PM ET, August 30th, 2023.)

Dave Ratner, CEO of HYAS, also congratulated the FBI and its partners. "We applaud the FBI for taking control of the Qakbot malware command-and-control infrastructure; unfortunately, without any arrests, it's likely that the criminals will setup new adversary infrastructure in the near future. With dwell time being as little as 24 hours, these attacks highlight once again how critical it is for organizations to have immediate visibility into anomalous network traffic communicating with adversary infrastructure so that they can take control before ransomware impacts operational resiliency, as recommended by CISA and the NSA via Protective DNS solutions."