On August 29, 2023, the U.S. Department of Justice announced that a multinational operation successfully disrupted the QakBot botnet, which infected over 700,000 computers worldwide. The takedown involved actions in the United States, Ukraine, Germany, Netherlands, United Kingdom, Romania, and Latvia, and resulted in the seizure of more than $8.6 million in cryptocurrency profits from the QakBot cybercriminal organization.
The FBI gained access to QakBot infrastructure, identified and redirected botnet traffic through its servers, and instructed infected computers to download an uninstaller. This action prevented QakBot from installing further malware. Law enforcement primarily focused on removing the QakBot malware from victim computers without affecting owner data.
The operation was conducted in close cooperation with Eurojust, a department of the European Union that investigates crimes within member states, and involved significant assistance from various cybercrime and law enforcement agencies across several countries.
What Is QakBot and Why Is This Important?
QakBot (also known as QBot) is a highly popular banking trojan that has existed since at least 2007. The trojan has continuously evolved since its inception and has been frequently upgraded with new capabilities.
Here’s how it works: QakBot allows cybercriminals to gain initial access to targeted networks and delivers other remote-access payloads, which attackers can then use to steal sensitive data, move laterally, or remotely execute code.
QakBot was primarily spread through spam emails, delivering additional malware, including ransomware. Notable ransomware groups like Ryuk, ProLock, Egregor, REvil, MegaCortex, and Black Basta have used QakBot as an initial means of infection, causing significant damage to businesses, healthcare providers, and government agencies.
As of August 2023, QakBot had been predominantly linked to the Black Basta ransomware group, which breached more than 140 organizations in 2023. On March 15, 2023, ReliaQuest discovered a security incident involving Black Basta that began with a QakBot infection for initial access. In this attack, the threat actor established a foothold in only 77 minutes, highlighting the threat posed by QakBot infections and the speed at which they could be deployed.
QakBot’s ever-evolving nature and highly opportunistic targeting of any and all industries posed a persistent and increasingly significant threat to the cyber community. Its disruption will likely have a significant impact on many threat actors, such as Black Basta.
Resources and Information for QakBot Victims
It’s not immediately clear whether the U.S. Department of Justice will release more specific details about the infrastructure they took down. With this limited information, we can’t speculate on how far-reaching and impactful this takedown was for cybercriminals. However, they did release a key detail: the FBI has successfully rerouted QakBot botnet traffic to servers under their control and instructed infected computers in the United States and elsewhere to download a file created by law enforcement that would effectively uninstall the QakBot malware.
Victims can verify if they have received the uninstaller by checking for the hash value of the QakBot Uninstall file: 7cdee5a583eacf24b1f142413aabb4e556ccf4ef3a4764ad084c1526cc90e117 (SHA-256)
The FBI and Dutch National Police identified compromised account credentials associated with QakBot and provided them to the website “Have I Been Pwned.” Victims can check if their credentials were compromised by visiting the following websites:
- Have I Been Pwned (https://haveibeenpwned.com/)
- Dutch National Police (https://politie.nl/checkyourhack)
Additional information and resources, including those for victims, can be found on the US Department of Justice website. The Department will update this page as more information and resources become available.
Is QakBot Dead?
It’s too soon to tell. We know that from January 1–July 31, 2023, QakBot constituted 30% of all loaders observed by ReliaQuest, and many unique ransomware groups are known to favor QakBot, so it’s hard to say whether it will become completely obsolete.
On the other hand, if this takedown has a serious disruption on their activities, threat actors will likely move onto different initial access malware. Cybercriminals are constantly adapting and will always find another malware to leverage in their campaigns.
The ReliaQuest Threat Research Team will continue to closely monitor the outcome of this situation.
ReliaQuest Strategies for Hardening Against QakBot
With limited information regarding the extent of this takedown’s impact, the ReliaQuest Threat Research Team still recommends adopting a proactive stance against QakBot. We recommend implementing the following hardening recommendations to bolster defenses against these attacks:
- Disable ISO mounting, as this has increasingly become a reliable method for bypassing antivirus or endpoint detection tools.
- Educate staff on recognizing social engineering tactics employed on the web and establish an appropriate channel for reporting suspicious emails or other activities.
- Restrict the use of remote access software, as it is among the most common methods exploited by cybercriminals—notably observed in conjunction with QakBot.