QakBot Botnet Dismantled, But Can It Return?

The United States and its allies dismantled the Qakbot financial fraud network
QakBot fell. But for how long?

On Tuesday, the US authorities announced that as a result of the international law enforcement operation “Duck Hunt,” the infamous Qakbot malware platform, which is linked to Russia, was destroyed. Cybercriminals actively use it to commit various financial crimes. Though, cybersecurity experts are not sure how deadly this operation was to the botnet. They predict a soon return of Qakbot, with new tactics and tricks.

The United States and its allies dismantled the Qakbot financial fraud network

Last week, the United States, the United Kingdom, Germany, Latvia, the Netherlands, Romania, and France conducted a joint operation to dismantle the Qakbot hacker network. First appearing more than a decade ago, Qakbot typically spread through infected emails sent to potential victims under the guise of trusted messages. Cybersecurity researchers have suggested that Qakbot’s origins refer to Russia. This network of attackers has attacked various organizations worldwide, from Germany to Argentina, causing significant losses. U.S. Attorney Martin Estrada emphasized that this operation to expose and disrupt Qakbot’s “Duck Hunt” activities is the most extensive in the history of the fight against botnets.

Screenshot of malicious attachment that asks you to activate macros
Malicious attachment that asks you to activate macros

A colossal catch

So, specialists call Operation “Duck Hunt” a significant victory in the fight against cybercrime, and that’s obvious. As part of an international operation, FBI officials dismantled the Qakbot botnet that infected over 700,000 compromised computers worldwide, of which more than 200,000 were in the United States. Although authorities distributed a removal tool to the endpoints that removed Qakbot from system memory, this did not neutralize other malware that may have been present on the system. According to investigators, between October 2021 and April 2023, Qakbot administrators received approximately $58 million in ransom paid by victims. According to CertiK, criminals could steal about $45 million worth of cryptocurrency during August this year. And in total, users have lost $997 million in fraudulent schemes since the beginning of the year. Law enforcers seized more than $8.6 million in bitcoins.

A few words about Qakbot

Qakbot is a malicious program that belongs to the TrickBot family of Trojans. Its functionality is similar to a Swiss Army knife. It was first discovered in 2008, and since then, cybercriminals have actively used it to steal data and spread other malicious programs. It is the most frequently detected malware, with 11% of corporate networks worldwide affected in the first half of 2023. The victims ranged from financial institutions on the East Coast to a critical infrastructure government contractor in the Midwest to a medical device manufacturer on the West Coast. It also served as a platform for ransomware operators. Once infected, the victim’s computer became part of a giant Qakbot botnet, infecting even more victims. Qakbot can spread through various channels, including email, malicious links, and infected files. We have an entire article dedicated to this malware.

QakBot May Resurface Soon, Analysts Concern

Experts of cyber threat intelligence operations warned that the recent takedown of Qakbot may only provide short-term relief in the fight against cybercrime. Many cybercrime service providers operate from Russia, which doesn’t extradite its citizens, making it difficult to reach them. However, now Qakbot appears to be on a forced sabbatical. Nevertheless, cybercriminals may tweak their code to make it more challenging to disrupt in the future. The situation now resembles the events with Emotet, which, after severe destruction in 2021, was never able to regain its former position.

Despite obvious parallels to Emotet’s case, it is important to notice the difference between the two. Spreading methods applied by Emotet differ from ones used by Qakbot. The latter used email spamming only as a part of lateral movement, with the application of compromised email accounts. Moreover, QBot is backed by a team of highly-professional crimes, while Emotet apparently lost its dream team in the 2021’s detention. Conti’s Team 3, now known as Black Basta, ran Qakbot operations alongside the Clop ransomware group. Team 3 has been inactive since June, but once they resurface, they could pose a potent threat.

How to protect yourself against malware?

Protecting yourself against malware is essential to safeguard your personal information, data, and online security. Here are some fundamental steps to help you stay protected:

  • Beware of Fake Websites. You should be cautious when visiting websites, especially when entering sensitive information. Ensure you’re on secured websites (look for HTTPS in the URL).
  • Exercise Caution with Email and Links. Be cautious when opening email attachments and clicking links, especially in emails from unknown or suspicious sources. Malware often spreads through phishing emails. Be skeptical of pop-up ads and unexpected download prompts. Verify the legitimacy of requests before taking action.
  • Download Software from Official Sources. Only download software and apps from reputable sources, e.g., the official website or app store (If it’s Android or iOS). Avoid downloading cracked or pirated software from torrents, often bundled with malware.
  • Keep Software Updated. You may find Windows updates annoying, but it is essential. Regularly update your operating system, web browsers, and all installed software. Many malware attacks exploit known vulnerabilities that are patched through updates.
  • Use Strong Passwords. A strong password is the first line of defense. Create strong, unique passwords for your accounts, and change them regularly. Consider using a password manager to generate and store complex passwords securely.
  • Enable Multi-Factor Authentication (MFA). Whenever possible, enable MFA for your online accounts. This is the second line of defense, which will stop the intruder if the first line is passed. MFA adds an extra layer of security by requiring additional verification beyond a password.
  • Use Reputable Anti-Malware Software. We recommend installing and regularly updating reputable anti-malware software on your devices. This point complements all previous topics and minimizes all risks as much as possible. These tools can detect and remove malware infections.

By Stephanie Adlam

I write about how to make your Internet browsing comfortable and safe. The modern digital world is worth being a part of, and I want to show you how to do it properly.

Leave a comment

Your email address will not be published. Required fields are marked *