The FBI has scored a major victory against cyber criminals after it seized the servers of a notorious botnet and mass-uninstalled malware from infected systems.
On Tuesday, the Federal Bureau of Investigation announced a multinational operation to disrupt and dismantle the malware-distributing Qakbot botnet – a global malware network which has been proliferating cyber crime for more than 15 years.
Qakbot has been around since at least 2008 when it launched as an information-stealing banking trojan, but in the 2010s it became better known as a key seller of malware-infected systems to other cyber crime groups.
The botnet infected victim systems predominantly through spam emails which contained malicious attachments or links loaded with malware.
After a user clicked these links or downloaded content from Qakbot’s spam, their system would become infected with malware and effectively join a network of other compromised computers – forming a botnet of remote-controllable systems which Qakbot clients could buy into for access.
“All the while, a Qakbot victim was typically unaware that their computer had been infected,” said the FBI.
As cyber crime has ramped up to unprecedented levels over the past three years, the Qakbot botnet has served as a jumping-off point for many ransomware attacks.
Qakbot has been used by the likes of Russia-linked ransom group Conti – which targeted Queensland Government-owned electricity generator CS Energy in 2021 and had further ties to an attack at Queensland University of Technology in December 2022 – as well as REvil, the Russia-linked gang widely suspected of carrying out the notorious 2022 hack at health insurer Medibank.
Over the last 18 months, Qakbot has facilitated about 40 ransomware attacks and reportedly netted cyber criminals around $89.7 million ($US58 million).
With help from European law enforcement in France, Germany, the Netherlands, Romania, Latvia and the UK, the FBI seized more than 50 Qakbot servers and identified over 700,000 infected computers worldwide.
To disrupt the botnet, the FBI was reportedly able to redirect Qakbot botnet traffic to servers controlled by the FBI, which then “instructed infected computers” to download a file which would uninstall Qakbot malware.
This uninstaller was designed to further untether infected computers from the botnet and prevent the installation of additional Qakbot malware, effectively dismantling the global chain of once-infected devices.
The operation – snarkily dubbed “Duck Hunt” – also led to the seizure of about $13.3 million ($US 8.6 million) in cryptocurrency from the Qakbot criminal organisation.
According to United States Attorney Martin Estrada, that sum will be made available to victims.
“An international partnership led by the Justice Department and the FBI has resulted in the dismantling of Qakbot, one of the most notorious botnets ever, responsible for massive losses to victims around the world,” said Estrada.
“Qakbot was the botnet of choice for some of the most infamous ransomware gangs, but we have now taken it out.”
Operation Duck Hunt marks the third major malware botnet taken of the decade, following Emotet and Trickbot in 2020 and 2021.
While both of these botnets made a return after their respective takedowns, they now operate at a much lesser capacity.
Los Angeles’s FBI assistant director in charge Donald Alway said the Qakbot network was “literally feeding the global cybercrime supply chain”, and that Operation Duck Hunt’s actions will prevent further cyber attacks.
“These actions will prevent an untold number of cyberattacks at all levels, from the compromised personal computer to a catastrophic attack on our critical infrastructure,” said Alway.
