searchtwitterarrow rightmail strokearrow leftmail solidfacebooklinkedinplusangle upmagazine plus
Help Net Security - Daily information security news with a focus on enterprise security.
Help Net Security - Daily information security news with a focus on enterprise security.
  • News
  • Features
  • Expert analysis
  • Videos
  • Events
  • Whitepapers
  • Industry news
  • Product showcase
  • Newsletters
Zeljka Zorz
Zeljka Zorz, Editor-in-Chief, Help Net Security
August 30, 2023
Share

The removal of Qakbot from infected computers is just the first step

The Qakbot botnet has been disrupted by an international law enforcement operation that culminated last weekend, when infected computers started getting untethered from it by specially crafted FBI software.

Qakbot removal

Arranging a widespread Qakbot removal

The Qakbot administrators use a system of tiered servers (Tier 1, Tier 2, and Tier 3) to control the Qakbot malware installed on infected computers.

“Tier 1 servers are computers infected with Qakbot that have an additional software ‘supernode’ module installed that make them part of the control infrastructure for the botnet,” the FBI explained in an application for a search warrant. The Tier 2 and Tier 3 are rented servers.

Tier 1 and Tier 2 servers forward communications between Qakbot infected computers and the Tier 3 server, which is the server through with the botnet is controlled. Tier 3 servers can be used by Qakbot administrators or other cyber criminals who paid to send instructions to the infected computers.

“Those instructions can include downloading and installing on the victim computer a new version of the Qakbot malware or other malware, including ransomware. All of these communications are encrypted using keys known to the Qakbot administrators (and, as a result of this investigation, to the FBI).”

The FBI used a computer they control to instruct Tier 1 servers to download and install an FBI-created module that contains a new encryption key, to sever the communication between the Qakbot administrators and the Tier 1 servers and establish communication to an FBI-controlled server.

From that server, an additional program is downloaded that uninstalls the Qakbot malware and gathers the computer’s IP address and associated routing information so that the FBI can get in touch with Qakbot victims.

Secureworks threat researchers have additional technical info on the Windows DLL executable used to terminate the running Qakbot process on the host for good.

According to Secureworks, the delivery of that module began at 23:27 UTC on August 25 BST (that’s 07:27 p.m. EST, August 25).

Additional clean-up efforts required

There have been other instances when the FBI has been given legal permission to disable or remove malware from compromised devices. Earlier this year, they went after the Snake malware, and in 2021 they removed malicious web shells from US-based Microsoft Exchange servers.

With Qakbot being one of the most prevalent malware out there and leading to more infections and disruptions, it’s no wonder the FBI aimed to uninstall it and take down the botnet’s infrastructure.

Abuse.ch, an organization that focuses on identifying, tracking and sharing threat intelligence about cyber threats, shows that all the original Qakbot C2 servers are currently offline.

Since Qakbot also tries to steal email credentials so that the botnet operators can leverage compromised email accounts to deliver the malware to more potential victims, the Have I Been Pwned service and the Dutch National Police allow users to check whether they are among the victims.

But even if they don’t find their email there, it doesn’t mean that they haven’t been infected with Qakbot. The infection is usually imperceptible, and FBI’s removal of the malware is similarly unnoticeable to users.

“The FBI has identified the IP addresses of many putative victim computers. Based on publicly available records and IP address geolocation, the FBI can determine the geographic region where devices using a specific IP address are likely to be located,” the Bureau stated.

The list of IPs has been shared with organizations such as The Spamhaus Project, which will notify email service providers and hosting companies responsible for compromised accounts so they can reset the passwords on those accounts, and the Shadowserver Foundation, which will send a report to national computer security incident response team (CSIRTs) and network owners, to help them notify any remaining victims and help them deal with the other malware delivered by Qakbot.

UPDATE (August 30, 2023, 03:50 a.m. ET):

CISA and FBI has shared more information and indicators of compromise to help organizations detect and protect against QakBot-related activity and malware.

More about
  • account hijacking
  • botnet
  • Europe
  • FBI
  • malware
  • remediation
  • Shadowserver
  • Spamhaus
  • USA
Share this

Featured news

  • Yet another Chrome zero-day exploited in the wild! (CVE-2023-5217)
  • The hidden costs of neglecting cybersecurity for small businesses
  • Kubernetes attacks in 2023: What it means for the future
Guide: SaaS Offboarding Checklist

Sponsored

eBook: 9 Ways to Secure Your Cloud App Dev Pipeline

Free entry-level cybersecurity training and certification exam

Guide: Attack Surface Management (ASM)

Don't miss

Yet another Chrome zero-day exploited in the wild! (CVE-2023-5217)

How to avoid the 4 main pitfalls of cloud identity management

The hidden costs of neglecting cybersecurity for small businesses

Kubernetes attacks in 2023: What it means for the future

New twist on ZeroFont phishing technique spotted in the wild

Cybersecurity news
Help Net Security - Daily information security news with a focus on enterprise security.
© Copyright 1998-2023 by Help Net Security
Read our privacy policy | About us | Advertise
Follow us