Aug 30, 2023 15:00:00

FBI dismantles ``Qakbot'', a brutal botnet that infects over 700,000 devices worldwide and is used by various ransomware gangs

Qakbot (Qbot, QuackBot, Pinkslipbot) , a Trojan horse malware whose existence has been confirmed since around 2008, adds infected devices to the bot network and allows remote control. On August 29, 2023, it was reported that Qakbot's bot network, which has been active online for over a decade, was dismantled in an international operation led by the US Federal Bureau of Investigation (FBI) and the Department of Justice . .

FBI, Partners Dismantle Qakbot Infrastructure in Multinational Cyber Takedown — FBI
https://www.fbi.gov/news/stories/fbi-partners-dismantle-qakbot-infrastructure-in-multinational-cyber-takedown

Central District of California | Qakbot Malware Disrupted in International Cyber Takedown | United States Department of Justice
https://www.justice.gov/usao-cdca/pr/qakbot-malware-disrupted-international-cyber-takedown

US says it and partners have taken down notorious 'Qakbot' hacking network | Reuters
https://www.reuters.com/world/us/us-says-it-has-disrupted-notorious-qakbot-hacking-network-2023-08-29/

FBI operation tricked thousands of computers infected by Qakbot into uninstalling the malware | TechCrunch
https://techcrunch.com/2023/08/29/fbi-operation-qakbot-uninstall/

Trojan malware Qakbot infects victims' devices through spam emails containing malicious attachments and links. Once a victim downloads a file or taps a link, Qakbot steals various credentials from the system, deploys additional malware, and makes the device part of a network of bots that can remotely control it.

Qakbot has been active in recent years, and according to security firm ReliaQuest, Qakbot was the most frequently observed malware loader from January to July 2023. Various ransomware gangs, including Conti, ProLock, Egregor, REvil, MegaCortex, and Black Basta, have used Qakbot as the initial method of infecting their targets, the Justice Department said.

Victims infected with Qakbot were typically unaware that their devices were infected with Qakbot and were unknowingly used to infect malware as part of a bot network. Since 2008, Qakbot has been used for various cyber crimes, including ransomware attacks, and has caused hundreds of millions of dollars (tens of billions of yen) in damage to companies around the world, including the United States.

'This bot network is a

command and control infrastructure consisting of hundreds of thousands of computers used to carry out attacks on individuals and businesses around the world,' said FBI Director Christopher Wray . and provided it to these cybercriminals.”

This time, the FBI conducted an international operation including the United States, France, Germany, the Netherlands, Romania, Latvia, and the United Kingdom to dismantle Qakbot's bot network. After obtaining legal access to Qakbot, identifying more than 700,000 devices worldwide that make up the Qakbot bot network, and redirecting Qakbot traffic to a server managed by the FBI.

The FBI then had Qakbot-infected devices download a Qakbot uninstaller file to disconnect the device from the Qakbot bot network and block further malware installations through Qakbot. This dismantled the Qakbot bot network that had been rampant for years. The FBI also reports that it has seized 52 servers around the world, including the United States, and $8.6 million (approximately 1.26 billion yen) in funds accumulated through criminal activities.

“The FBI has crippled, brought to its knees, and shut down this extensive criminal supply chain,” Wray said. “The cyber threats facing America are becoming more dangerous and complex every day. Our success proves that our own networks and our own capabilities are stronger.'