Multinational task force takes down prolific Qakbot malware and botnet operation
A multinational task force headed by the U.S. Federal Bureau of Investigation and Dutch Police has taken down Qakbot, a prolific malware and botnet operation that was named in May the most successful malware family reaching inboxes.
Qakbot, also known as QBot and Pinkslipbot, first emerged in 2008 and was historically known as a banking Trojan virus that steals financial data from infected systems. In more recent times, Qakbot has used a variety of infection vectors, including switching file names and formats and deploying several techniques to hide its operation.
The joint operation, which spanned the U.S., France, Germany, the Netherlands, Romania, Latvia and the U.K., saw law enforcement gain access to the Qakbot botnet on Aug. 25. Upon gaining access to Qakbot, botnet traffic was redirected to and through servers controlled by law enforcement. Qakbot-infected computers were instructed to download a Qakbot Uninstall file that uninstalled Qakbot malware from the infected computer.
According to information published by the U.S. Attorney’s Office – Central District of California, the Qakbot Uninstall file did not remediate other malware that was already installed on infected computers. The uninstall file was, however, designed to prevent additional Qakbot malware from being installed on the infected computer by untethering the victim’s computer from the Qakbot botnet.
As part of the operation, account credentials that had been compromised in Qakbot attacks were identified, with the FBI providing the details to the free compromised credentials site Have I Been Pwned. Dutch Police have also set up a website that contains information on the compromised credentials.
Qakbot victims were found to include financial institutions, a critical infrastructure government contract and a medical device manufacturer, according to FBI Director Christopher Wray. Of the estimated 700,000 computers infected by Qakbot, over 200,000 were in the U.S.
The one thing missing from the takedown is any arrests, but that aside, the Qakbot takedown has been well-received by the security community.
“Disrupting the Qakbot botnet of more than 700,000 victim computers is a great accomplishment for the FBI and their partners and will impose significant inconvenience on the botnet’s operators and dependent criminal groups,” Chester Wisniewski, field chief technology officer of Applied Research at security software company Sophos Group PLC, told SiliconANGLE.
Wisniewski did warn that the takedown may be more of a speed bump for those behind Qakbot, saying that “sadly, this will not stop Qakbot’s masters from reconstituting it and continuing to profit from our security failures.”
“Any time we can raise the cost for criminals to operate their schemes, we must take advantage of those opportunities, but this doesn’t mean we can rest on our laurels; we must continue to work to identify those responsible and hold them accountable to truly disable their operations,” Wisniewski added.
John Hammond, principal security researcher at managed cybersecurity platform provider Huntress Labs Inc., also praised the takedown, saying it’s “phenomenal news” and that “it is just awesome to see the international collaboration and a huge effort that makes a massive impact to not only the Qakbot botnet strain but also the ransomware syndicates that make use of it.”
Image: Bing Image Creator
A message from John Furrier, co-founder of SiliconANGLE:
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.