How the FBI took down the notorious Qakbot botnet

A global law enforcement operation this week took down and dismantled the notorious Qakbot botnet, touted as the largest U.S.-led financial and technical disruption of a botnet infrastructure.

Qakbot is a banking trojan that became infamous for providing an initial foothold on a victim’s network for other hackers to buy access and deliver their own malware, such as ransomware. U.S. officials said Qakbot has helped to facilitate more than 40 ransomware attacks over the past 18 months alone, generating $58 million in ransom payments.

The law enforcement operation, named “Operation Duck Hunt,” saw the FBI and its international partners seize Qakbot’s infrastructure located in the United States and across Europe. The U.S. Department of Justice, which ran the operation alongside the FBI, also announced the seizure of more than $8.6 million in cryptocurrency from the Qakbot cybercriminal organization, which will soon be made available to victims.

In Tuesday’s announcement, the FBI said it carried out an operation that redirected the botnet’s network traffic to servers under the U.S. government’s control, allowing the feds to take control of the botnet. With this access, the FBI used the botnet to instruct Qakbot-infected machines around the world into downloading an FBI-built uninstaller that untethered the victim’s computer from the botnet, preventing further installation of malware through Qakbot.

The FBI said its operation had identified approximately 700,000 devices infected with Qakbot as of June — including more than 200,000 located in the United States. During a call with reporters, a senior FBI official said that the total number of Qakbot victims is likely in the “millions.”

Here’s how Operation Duck Hunt went down.

How did the operation work?

According to the application for the operation’s seizure warrant, the FBI identified and gained access to the servers running the Qakbot botnet infrastructure hosted by an unnamed web hosting company, including systems used by the Qakbot administrators. The FBI also asked the court to require the web host to secretly produce a copy of the servers to prevent the host from notifying its customers, the Qakbot administrators.

Some of the systems the FBI got access to include the Qakbot’s stack of virtual machines for testing their malware samples against popular antivirus engines, and Qakbot’s servers for running phishing campaigns named after former U.S. presidents, knowing well that political-themed emails are likely to get opened. The FBI said it was also able to identify Qakbot wallets that contained crypto stolen by Qakbot’s administrators.

“Through its investigation, the FBI has gained a comprehensive understanding of the structure and function of the Qakbot botnet,” the application reads, describing its plan for the botnet takedown. “Based on that knowledge, the FBI has developed a means to identify infected computers, collect information from them about the infection, disconnect them from the Qakbot botnet, and prevent the Qakbot administrators from further communicating with those infected computers.”

Qakbot uses a system of tiered systems — described as Tier 1, Tier 2, and Tier 3 — to control the malware installed on infected computers around the world, according to the FBI and findings by U.S. cybersecurity agency CISA.

The FBI said that Tier 1 systems are ordinary home or business computers — many of which were located in the United States — infected with Qakbot that also have an additional “supernode” module, which makes them part of the botnet’s international control infrastructure. Tier 1 computers communicate with Tier 2 systems, which serve as a proxy for network traffic to conceal the main Tier 3 command and control server, which the administrators use to issue encrypted commands to its hundreds of thousands of infected machines.

With access to these systems and with knowledge of Qakbot’s encryption keys, the FBI said it could decode and understand Qakbot’s encrypted commands. Using those encryption keys, the FBI was able to instruct those Tier 1 “supernode” computers into swapping and replacing the supernode module with a new module developed by the FBI, which had new encryption keys that would lock out the Qakbot administrators from their own infrastructure.

Swap, replace, uninstall

According to an analysis of the takedown efforts from cybersecurity company Secureworks, the delivery of the FBI module began on August 25 at 7:27pm in Washington DC.

The FBI then sent commands instructing those Tier 1 computers to communicate instead with a server that the FBI controlled, rather than Qakbot’s Tier 2 servers. From there, the next time that a Qakbot-infected computer checked in with its servers — every one to four minutes or so — it would find itself seamlessly communicating with an FBI server instead.

After Qakbot-infected computers were funneled to the FBI’s server, the server instructed the computer to download an uninstaller that removes the Qakbot malware altogether. (The uninstaller file was uploaded to VirusTotal, an online malware and virus scanner run by Google.) This doesn’t delete or remediate any malware that Qakbot delivered, but would block and prevent another initial Qakbot infection.

The FBI said that its server “will be a dead end,” and that it “will not capture content from the infected computers,” except for the computer’s IP address and associated routing information so that the FBI can contact Qakbot victims.

“The Qakbot malicious code is being deleted from victim computers, preventing it from doing any more harm,” prosecutors said Tuesday.

This is the most recent operational takedown the FBI has carried out in recent years.

In 2021, the feds carried out the first-of-its-kind operation to remove backdoors planted by Chinese hackers on hacked Microsoft Exchange email servers. A year later, the FBI disrupted a massive botnet used by Russian spies to launch powerful and disruptive cyberattacks designed to knock networks offline, and, earlier this year, knocked another Russian botnet offline that had been operating since at least 2004.

Source link