The FBI, U.S. Department of Justice, and police forces in the U.K. and Europe, have announced the takedown of the QBot (Qakbot) botnet malware.
QBot was the largest botnet in the world in terms of the number of infections, measuring 700,000 infected hosts by the time of its dismantling, and one of the longest-standing of its kind, being in operation since 2008.
The operators of QBot infected systems via multiple channels, primarily spam email, that carried malicious attachments such as PDFs, OneNote files, HTML, ZIPs, and LNKs, achieving stealthy initial infection. Then, access to those computers was sold to various malware and ransomware operators, who deployed their far more potent payloads through QBot, causing immeasurable financial damages. The U.S. DoJ announcement mentions the seizure of approximately $8.6 million worth of cryptocurrency believed to be the product of these illicit sales of initial access to cybercriminals.
The takedown of QBot’s infrastructure was achieved by seizing the infrastructure that supported the botnet’s operation and then injecting a special DLL module onto all clients that uninstalled the malware from infected computers. Despite QBot using multiple layers of redundant infrastructure, the FBI was able to map it in its entirety by gaining access to the malware operator’s administrator accounts.
The FBI agents retrieved the encryption keys used for communicating with QBot’s C2 servers, swapped them with their own, locked the actual operators out of the botnet’s infrastructure, and eventually pushed the cleaning component on August 25, 2023, disinfecting 700,000 devices. More details on the infrastructure hijack and malware removal process can be found here.
Following the takedown and examination of the infrastructure, the law enforcement authorities have given data breach alert service ‘Have I Been Pwned’ (HIBP) nearly 6.5 million email addresses and passwords retrieved from QBot’s servers, which the malware stole and used for disseminating emails to new targets as part of its attack routine.
Internet users whose details are included in this dataset will receive an email notification from HIBP. Those who do are recommended to run a complete A.V. scan on their systems, as QBot might not be the only malware present. Unfortunately, any additional payloads dropped onto systems via QBot are not possible to remove with the DLL uninstaller, so manual cleanups will be required in those cases.
Is this the end of QBot?
FBI’s “Operation Duck Hunt,” which disrupted QBot, represents a major setback for the malware botnet that is bound to have far-reaching implications in various cybercrime sectors, especially ransomware. Yet, without identifying and apprehending the primary operators, there’s always the potential for them to regroup and rebuild
An example of such a development is the Emotet botnet, which an international law enforcement operation disrupted in January 2021 and nuked from infected devices on April 25, 2021, by sending a “wiper” module onto clients that communicated with the seized infrastructure. Despite the operation involving two arrests, Emotet was back in business by November 2021, when it started to slowly rebuild with the aid of notorious ransomware syndicates like Conti. Since then, Emotet’s return and growth have been somewhat anemic, but the botnet is definitely active, helping push BlackCat ransomware and running IRS W-9 tax form malspam campaigns last March.