The FBI and the Justice Department have declared a global effort to disrupt and dismantle the Qakbot infrastructure, which is utilized in ransomware attacks.
More than 700,000 victim computers were infected by the Qakbot malware, which contributed to ransomware deployments and caused damage worth hundreds of millions of dollars.
The United States, France, Germany, the Netherlands, Romania, Latvia, and the United Kingdom all took part in the action with the technical assistance provided by Zscaler.
According to the US Justice Department, the Qakbot malicious code is being removed from victim systems, preventing it from causing more damage.
The Department also disclosed its seizure of illicit cryptocurrency revenues totaling more than $8.6 million.
“The FBI neutralized this far-reaching criminal supply chain, cutting it off at the knees,” said FBI Director Christopher Wray.
“The victims ranged from financial institutions on the East Coast to a critical infrastructure government contractor in the Midwest to a medical device manufacturer on the West Coast.”
Working On QakBot Malware
Qakbot (also known as Qbot or Pinkslipbot) is a modular second-stage malware with backdoor capabilities that was originally designed as a credential stealer.
Qakbot, which is categorized as a banking trojan, worm, and remote access trojan (RAT), steals confidential information and tries to spread itself to other computers on the network.
Spam emails with malicious attachments or links were the main method used to infect victims’ PCs with the Qakbot malware.
Following the download or click, Qakbot infected the user’s machine with further malware, including ransomware.
Additionally, the hacked machine joins a botnet, which is a network of compromised computers that allows its users to control them remotely. A Qakbot victim generally didn’t know their machine was infected the entire time.
Reports say since its development in 2008, Qakbot malware has been utilized in ransomware attacks and other cybercrimes that have cost people and companies both in the United States and abroad hundreds of millions of dollars in damages.
In recent years, several successful ransomware groups, including Conti, ProLock, Egregor, REvil, MegaCortex, and Black Basta, utilized Qakbot as their primary point of infection. After demanding Bitcoin ransom payments from its victims, the ransomware perpetrators unlock the victim’s computer networks.
A power engineering firm in Illinois, financial services companies in Alabama, Kansas, and Maryland, a defense manufacturer in Maryland, and a food distribution business in Southern California were just a few of the organizations that suffered significant losses as a result of these ransomware groups.
The Dismantling Of Qakbot
During the takedown, the FBI could access Qakbot infrastructure and locate over 700,000 machines that seemed to be infected with Qakbot globally, including more than 200,000 in the US.
To disrupt the botnet, the FBI was able to divert traffic from the Qakbot botnet to and through servers under its control. These servers then gave instructions to infected computers in the US and worldwide to download a file created by law enforcement to remove the Qakbot malware.
“This uninstaller was designed to untether the victim’s computer from the Qakbot botnet, preventing the further installation of malware through Qakbot,” the US Justice Department said.
The Justice Department added that this did not include removing malware already present on the target systems, nor did it include access to or alteration of the owners’ and users’ personal data.
“Cybercriminals who rely on malware like Qakbot to steal private data from innocent victims have been reminded today that they do not operate outside the bounds of the law,” said Attorney General Merrick B. Garland.
“Together with our international partners, the Justice Department has hacked Qakbot’s infrastructure, launched an aggressive campaign to uninstall the malware from victim computers in the United States and around the world, and seized $8.6 million in extorted funds.”
Source: https://cybersecuritynews.com/fbi-dismantle-qakbot-infrastructure/