FBI-led Operation Duck Hunt shoots down Qakbot

Trending 1 month ago

Uncle Sam coming said an world rule enforcement effort dismantled Qakbot, aka QBot, a notorious botnet and malware loader responsible for losses totaling hundreds of millions of dollars worldwide, and seized much than $8.6 cardinal successful illicit cryptocurrency.

In a Tuesday property convention announcing nan return down, US Attorney Martin Estrada called nan FBI-led Operation Duck Hunt "the astir important technological and financial cognition ever led by nan Department of Justice against a botnet." For 1 thing, nan Feds produced immoderate package to driblet onto Qbot-infected machines to render nan malware ineffective.

With an assistance from France, Germany, nan Netherlands, nan United Kingdom, Romania, and Latvia, rule enforcement complete nan past 3 days seized 52 servers successful nan US and overseas utilized to support nan QBot network, "preventing Qakbot from resurrecting to origin further further harm," Estrada said. 

Qakbot is simply a classical spot of Windows botnet malware: its operators instrumentality group – usually via email attachments aliases malicious Microsoft Office documents – into downloading and moving nan software, which tin fetch and execute further payloads from extracurricular servers, and communicates pinch distant servers to get its instructions to transportation out. It is simply a Swiss Army weapon of malicious code: it tin beryllium utilized to backdoor infected computers, bargain their passwords and show keystrokes, siphon costs from online slope accounts, and more.

Its malware loader functionality has been astir since astatine slightest 2008, has had important upgrades since then, and has been utilized to bring ransomware payloads into infected networks. According to Estrada, astir 40 infections of extortionware via Qbot person been observed successful nan past 18 months.

"These ransomware attacks person costs businesses and authorities entities astir $58 cardinal successful losses," he added. "You tin ideate that nan losses person been galore millions much passim nan life of nan Qakbot."

As portion of nan take-down operation, nan Feds identified much than 700,000 infected computers worldwide, including immoderate 200,000 successful America. Then, opening connected August 21, nan FBI obtained tribunal orders allowing it to redirect Qakbot postulation to agent-controlled servers, and remotely abnormal nan malware connected victims' machines.

Duck-hunting season

The first court bid [PDF], which was granted connected August 21, allowed rule enforcement to search US-based machines and prehend aliases transcript encryption keys, server lists, IP addresses, and routing accusation utilized by nan Qakbot administrators, and besides driblet a record containing FBI-developed package connected these computers to uninstall nan malware.

"The record will supply nan unfortunate computers pinch caller instructions that will untether them from nan Qakbot botnet and forestall nan Qakbot administrators from further communicating pinch nan infected computers," according to tribunal documents [PDF].

The package besides gave nan FBI "the expertise to stitchery grounds astir nan malware infection, and to cod IP reside and routing accusation capable to place nan unfortunate machine and supply notification to nan personification of nan machine astir nan distant hunt authorized by nan projected warrant."

The scope was constricted to accusation installed connected nan unfortunate computers by nan Qakbot operators, and did not remediate immoderate different malware connected nan devices, nor assistance nan Feds entree to different accusation connected compromised computers, according to nan US Dept of Justice. 

Two days later, connected August 23, a tribunal granted a 2nd petition [PDF] that allowed rule enforcement to hunt computers assigned circumstantial IP addresses and maintained by a circumstantial provider. The IP addresses and supplier sanction person been redacted successful nan tribunal documents.

This 2nd warrant required nan supplier to move complete a ton of information linked to those circumstantial IP addresses, including communications pinch nan computers utilizing those addresses; images of those computers' record systems; and applicable customer accusation and logs. 

This warrant besides demanded accusation related to nan usage of malware and different intends to summation unauthorized machine access, nan results of said access, accusation related to victims, imaginable victims, and wiretapping, and thing related to cryptocurrency wallets, payments, and money laundering efforts.

  • Malware loader lowdown: The large 3 responsible for 80% of attacks truthful acold this year
  • Qbot malware adapts to unrecorded different time … and different …
  • FBI: Who was going astir hijacking Barracuda email boxes? China, probably
  • 288 arrested successful multinational Monopoly Market takedown

And finally, a 3rd bid [PDF] allowed rule enforcement to prehend 20 crypto-coin wallets linked to nan Qbot empire.

In summation to seizing $8.6 cardinal successful ransomware payments, Operation Duck Hunt besides seized 6.5 cardinal credentials that Qakbot operators had besides stolen from victims successful nan US, and "our world partners are identifying galore millions more," Estrada said.

Law enforcement is notifying victims of nan credential harvesting, and moving pinch folks to thief them recover funds stolen by nan crooks.

"We judge that this will efficaciously put Qakbot criminal groups retired of business," said Donald Alway, adjunct head successful complaint of nan FBI's Los Angeles section office.

The US rule enforcement agencies declined to place immoderate circumstantial individuals down nan Qakbot infrastructure, citing nan ongoing investigation, and has yet to make immoderate arrests related to nan botnet. ®