How the FBI Nuked Qakbot Malware from Infected Windows PCs

Cyber Security Threat Summary:
Yesterday afternoon, the FBI announced the disruption of the Qakbot botnet. Through an international law enforcement operation, authorities were able to not only seize infrastructure used by operators, but were able to uninstall the malware from infected devices. “During this past weekend’s law enforcement operation, Operation Duck Hunt, the FBI redirected the botnet’s network communications to servers under its control, allowing agents to identify approximately 700,000 infected devices (200,000 located in the U.S.)” (Bleeping Computer, 2023).

Qakbot is a prolific piece of malware that began as a banking trojan back in 2008. It has since evolved into a malware dropper which threat actors use to gain initial access to networks, often to carry out ransomware attacks, data theft, and more.

Phishing campaigns are typically used to distribute Qakbot, specifically those with malicious documents attached. Reply-chain email attacks are often used, where actors use a stolen email thread, reply to it, and attach a malicious document. “These documents change between phishing campaigns and range from Word or Excel documents with malicious macros, OneNote files with embedded files, to ISO attachments with executables and Windows shortcuts. Some of them are also designed to exploit zero-day vulnerabilities in Windows” (Bleeping Computer, 2023). Once downloaded, Qakbot is installed on the machine and injected into the memory of legitimate Windows processes, allowing it to avoid detection from security software.

Security Officer Comments:
The Qakbot operators have partnered with various ransomware operations in the past, including Conti, ProLock, Egregor, REvil, RansomExx, MegaCortex, and more recently, Black Basta and BlackCat. The FBI says that between October 2021 and April 2023, the Qakbot operators earned approximately $58 million from ransomware payments.

In their announcement, the FBI says they were able to dismantle the botnet by seizing the attacker’s server infrastructure, and using a special removal tool to uninstall Qakbot malware from infected devices. Based on their investigation, the FBI determined that the Qakbot botnet utilized Tier-1, Tier-2, and Tier-3 command and control servers, which are used to issue commands to execute, install malware updates, and download additional partner payloads to devices.

“Tier-1 servers are infected devices with a "supernode" module installed that act as part of the command and control infrastructure of the botnet, with some of the victims located in the USA. Tier-2 servers are also command and control servers, but the Qakbot operators operate them, usually from rented servers outside the USA. The FBI says that both the Tier-1 and Tier-2 servers are used to relay encrypted communication with the Tier-3 servers. These Tier-3 servers act as the central command and control servers for issuing new commands to execute, new malicious software modules to download, and malware to install from the botnet's partners, such as ransomware gangs” (Bleeping Computer, 2023).

By infiltrating Qakbots infrastructure and administrator’s devices, the FBI was able to access the encryption keys used to communicate with these servers. The FBI then changed the encryption keys which effectively locked the operators out of their own command and control infrastructure.

Using a custom Windows DLL (Qakbot module), the FBI was able to remove malware from infected devices. Based on an analysis of the FBI module by SecureWorks, this custom DLL file issued the QPCMD_BOT_SHUTDOWN command to the Qakbot malware running on infected devices, which causes the malware process to stop running.

Suggested Correction(s):
The FBI says that this Qakbot removal tool was authorized by a judge with a very limited scope of only removing the malware from infected devices. Furthermore, as the malware only operates from memory, the removal tool did not read or write anything to the hard drive.

At this time, the FBI is unsure of the total number of devices that have been cleaned in this manner, but as the process started over the weekend, they expect that further devices will be cleaned as they connect back to the hijacked Qakbot infrastructure.

The FBI also shared a database containing credentials stolen by the Qakbot malware with Have I Been Pwned and the Dutch National Police.

As no notifications will be displayed on infected devices when the malware is removed, you can use these services to see if your credentials were stolen, indicating that you may have at one point been infected with the Qakbot malware.

While the Qakbot operation was hindered, there were no reports of arrests made. It is possible we could see the Qakbot operators begin to rebuild their infrastructure over the next few months via phishing campaigns, or by purchasing installations from other botnets. With that being said, the international operation was successful at severely hindering an active and prominent threat.