Qakbot Cracked: FBI and Friends Hack the Hackers
Operation Duck Hunt shoots to kill big botnet.
Qakbot is dead. The world’s biggest “loader” botnet has ceased to be. It’s a stiff. Bereft of life, it rests in peace—thanks to the U.S. Justice Department and European partners.
Also known as Qbot, Oakboat and Pinkslipbot, Qakbot has rung down the curtain. In today’s SB Blogwatch, we’ve gone to join the choir invisible.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Blue Skies.
Or is it just resting? Beautiful plumage.
What’s the craic? Christopher Bing and David Ljunggren report—“Partners have taken down notorious ‘Qakbot’ hacking network”:
“Originates from Russia”
An international law enforcement operation [has] taken down the notorious “Qakbot” malware platform used … in a variety of financial crimes. … The operation, nicknamed Duck Hunt, [also] involved … France, Germany, the Netherlands, Britain, Romania and Latvia.
…
U.S. attorney Martin Estrada said the move against Qakbot was the most significant technological and financial operation ever led by the [DoJ] against a botnet [and] as part of the operation, agencies seized 52 servers. [Qakbot] had infected more than 700,000 victim computers … and caused hundreds of millions of dollars in damage.
…
First discovered more than a decade ago, Qakbot is commonly spread through malicious, boobytrapped email. … Security researchers say they believe Qakbot originates from Russia.
How? Lawrence Abrams explains—“How the FBI nuked Qakbot malware from infected Windows PCs”:
“Authorized by a judge”
Qakbot, aka Qbot and Pinkslipbot, started as a banking Trojan in 2008. … However, over time, the malware evolved into a malware delivery service utilized by other threat actors. … In the past, Qakbot has partnered with multiple ransomware operations, including Conti, ProLock, Egregor, REvil, RansomExx, MegaCortex … Black Basta and BlackCat/ALPHV.
…
The FBI [was] able to dismantle the botnet by seizing the attacker’s server infrastructure and creating a special removal tool that uninstalled the Qakbot malware. … They accessed the encryption keys [and] used an infected device under their control to contact each Tier-1 server and have it replace the … Qakbot “supernode” module with one created by law enforcement. This … used different encryption keys not known to the Qakbot operators, effectively locking them out of their own command and control infrastructure.
…
This Qakbot removal tool was authorized by a judge with a very limited scope of only removing the malware from infected devices. Furthermore [it] did not read or write anything to the hard drive.
Is this a big deal? All aboard the Brian Krebs cycle—“U.S. Hacks QakBot, Quietly Removes Botnet Infections”:
“Black Basta”
QakBot is by far the most prevalent malware loader: [It] accounted for nearly one-third of all loaders observed in the wild during the first six months of this year.
…
Recently … QakBot has been closely associated with ransomware attacks from Black Basta, a prolific Russian-language criminal group that was thought to have spun off from the Conti ransomware gang in early 2022. … The DOJ said it also recovered more than 6.5 million stolen passwords and other credentials, and that it has shared this information with two websites that let users check to see if their credentials were exposed: Have I Been Pwned, and a “Check Your Hack” website erected by the Dutch National Police.
I think you ought to know, themagician is feeling very depressed:
Most of the world runs on Windows and people are logged in as admin. It’s a point and click world.
…
I’m surprised the internet connected world hasn’t collapsed yet. Every day seems to be a new kind of scam or malware. It takes incredible effort to safeguard systems today. One wrong click and in 5 minutes your entire life can be destroyed.
But no arrests? gweihir shares the blame around:
What about the people behind it? If they remain free, they can just build a new botnet. There are tons of Internet-connected devices out there with security that really sucks.
…
Not that I am in any way opposed to these scum attackers spending some time behind bars. … But that is not enough. … Manufacturers need to do a lot better.
They remain free—for now. u/Dr3adPir4teR0berts paints a picture:
[FBI] may very well know who is running the botnet. … They may not want to let the person who is running it know they’re on to them. They have done this before with hackers in places like Russia, where they won’t say **** and then the moment the hacker steps foot in a country where they can arrest him, they will grab them and bring them to the US to stand trial.
What of the unintended consequences? claimed foresees a slippery slope:
Good. … I’m glad they did it in this instance. … But the precedent is terrifying.
…
Now there is a precedent for, “We don’t like this software, we will remotely terminate it – cos judge.” Think about peer to peer networks, mirrors, or software updaters for e.g., Huawei.
Meanwhile, kiddico thinks they’re dreaming:
A 3-letter did a thing I like? Quick, someone pinch me.
And Finally:
Now playing: Music to compile a Blogwatch by
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi, @richij or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: Biel Morro (via Unsplash; leveled and cropped)