Qakbot botnet brought down in major global operation led by US SC Media

p ppQakbot the criminal worlds longestablished botnet of choice has been toppled by a multinational law enforcement operation that also uninstalled the malware from 700000 computersppIn an Aug 29 announcement the US Justice Department said the operation led by the FBI seized and disabled the infrastructure powering the botnetppAuthorities took possession of 86 million in cryptocurrency said to be a small portion of the total amount extorted from ransomware victims over several years by the gang behind QakbotppInvestigators have found evidence that between October 2021 and April 2023 Qakbot administrators received fees corresponding to approximately 58 million in ransoms paid by victims the Justice Department saidpp ppThe operation codenamed Duck Hunt involved law enforcement agencies from France Germany the Netherlands the United Kingdom Romania and Latvia as well as the USppQakbot was one of the most notorious botnets ever responsible for massive losses to victims around the world said Martin Estrada US attorney for the Central District of California where the seizure warrant for the cryptocurrency was filedppQakbot was the botnet of choice for some of the most infamous ransomware gangs but we have now taken it out Estrada saidppIn an Aug 25 research post ReliaQuest said QakBot also known as QBot QuackBot and Pinkslipbot was the most seen malware loaders accounting for 30 of all loaders observed in the first seven months of this yearppCheckpoint also described Qakbot as the worlds most prevalent malware and said it impacted 11 of corporate networks worldwide in the first half of 2023ppQakbot is especially tricky it is a multipurpose malware akin to a Swiss Army knife It allows cybercriminals to directly steal data credentials to financial accounts payment cards etc from PCs while also serving as an initial access platform to infect victims networks with additional malware and ransomware Checkpoint saidppThe malware has been used as an initial means of infection by a prolific range of ransomware groups such as Conti REvil and Black Bast among others and sought ransom payments in BitcoinppIn a statement announcing the takedown the FBI said Qakbot had caused hundreds of millions of dollars of losses since its creation in 2008ppThis botnet provided cybercriminals like these with a commandandcontrol infrastructure consisting of hundreds of thousands of computers used to carry out attacks against individuals and businesses all around the globe FBI Director Christopher Wray saidppThe victims ranged from financial institutions on the East Coast to a critical infrastructure government contractor in the Midwest to a medical device manufacturer on the West CoastppBy gaining access to the Qakbot infrastructure during the operation the FBI was able to identify over 700000 computers worldwide including more than 200000 in the US that were infected with the malwareppTo disrupt the botnet the FBI was able to redirect Qakbot botnet traffic to and through servers controlled by the FBI which in turn instructed infected computers in the United States and elsewhere to download a file created by law enforcement that would uninstall the Qakbot malware the Justice Department saidppThe uninstaller was able to untether the infected computers from the Qakbot botnetppSecureworks said in a blog post it had long maintained visibility of Qakbots backend infrastructure Researchers in its Counter Threat Unit CTU observed the Aug 25 takedown operation which involved the botnet distributing shellcode to infected devicesppThe shellcode unpacks a custom DLL dynamic link library executable that contains code that can cleanly terminate the running Qakbot process on the host Secureworks saidppThe DLL uses a clever method that involves sending a QPCMDBOTSHUTDOWN instruction via a named pipe that Qakbot uses to send and receive messages between processes on the hostppThe efforts of the multinational teams and their success in taking down such a major player in the cybercriminal ecosystem so emphatically was praised by researchers But some cautioned that the demise of such a significant botnet would leave a void and an opportunity for the group behind QakBot known as Batbug or Golden Lagoon to rebuildppBatbug has long been one of the largest players in the cybercrime landscape controlling a lucrative malware distribution network that was linked to multiple major ransomware gangs Symantecs Threat Hunter Team said in a blog postppThis takedown is likely to disrupt Batbugs operations and it is possible that the group may struggle to rebuild its infrastructure in its aftermathppSecureworks said it had observed the groups infrastructure becoming unresponsive as a result of the takedown operationppThese robust efforts should reduce the number of infected hosts and hinder GOLD LAGOONs attempts to regain control of the botnetppMandiant senior manager financial analysis Kimberly Goody said Qakbot had a history of adapting and evolvingppAny impact to these operations is welcomed as it can cause fractures within the ecosystem and lead to disruptions that cause actors to forge other partnerships even if its only temporaryppAnother Mandiant executive Sandra Joyce VP Mandiant Intelligence Google Cloud said ransomware was a major security challenge that had to be taken seriouslyppThe underpinnings of this business model are solid and this problem is not going away anytime soon Many of the tools we have at our disposal arent going to have longlasting effects These groups will recover and they will be backppWatch FBI Director Christopher Wrays announcement of the operation belowppSimon Hendery is a freelance IT consultant specializing in security compliance and enterprise workflows With a background in technology journalism and marketing he is a passionate storyteller who loves researching and sharing the latest industry developmentsppSC StaffNovember 13 2023ppSecurityWeek reports that new guidance on open source software management and software bills of materials consumption among software vendors and suppliers has been introduced by the Cybersecurity and Infrastructure Security Agency the National Security Agency and the Office of the Director of National Intelligence in a bid to better protect the software supply chainppSC StaffNovember 13 2023ppAll data stolen from Boeing amounting to nearly 50GB of files were claimed to have been leaked by the LockBit ransomware gang after the major US multinational aircraft manufacturer purportedly denied to provide the demanded ransom according to The RegisterppSC StaffNovember 13 2023ppMore than 100 million has been stolen from cryptocurrency trading platform Poloniex following a cryptocurrency heist on Nov 10 according to The Record a news site by cybersecurity firm Recorded FutureppTue Feb 27ppOnDemand Eventpp ppBy clicking the Subscribe button below you agree to SC Media Terms and Conditions and Privacy Policypp pp pp
Copyright 2023 CyberRisk Alliance LLC All Rights Reserved
This material may not be published broadcast rewritten or redistributed
in any form without prior authorization
ppYour use of this website constitutes acceptance of CyberRisk Alliance Privacy Policy and Terms Conditionsp