The Qakbot botnet has been disrupted by an international law enforcement operation that culminated last weekend, when infected computers started getting untethered from it by specially crafted FBI software.
Arranging a widespread Qakbot removal
The Qakbot administrators use a system of tiered servers (Tier 1, Tier 2, and Tier 3) to control the Qakbot malware installed on infected computers.
“Tier 1 servers are computers infected with Qakbot that have an additional software ‘supernode’ module installed that make them part of the control infrastructure for the botnet,” the FBI explained in an application for a search warrant. The Tier 2 and Tier 3 are rented servers.
Tier 1 and Tier 2 servers forward communications between Qakbot infected computers and the Tier 3 server, which is the server through with the botnet is controlled. Tier 3 servers can be used by Qakbot administrators or other cyber criminals who paid to send instructions to the infected computers.
“Those instructions can include downloading and installing on the victim computer a new version of the Qakbot malware or other malware, including ransomware. All of these communications are encrypted using keys known to the Qakbot administrators (and, as a result of this investigation, to the FBI).”
The FBI used a computer they control to instruct Tier 1 servers to download and install an FBI-created module that contains a new encryption key, to sever the communication between the Qakbot administrators and the Tier 1 servers and establish communication to an FBI-controlled server.
From that server, an additional program is downloaded that uninstalls the Qakbot malware and gathers the computer’s IP address and associated routing information so that the FBI can get in touch with Qakbot victims.
Secureworks threat researchers have additional technical info on the Windows DLL executable used to terminate the running Qakbot process on the host for good.
According to Secureworks, the delivery of that module began at 23:27 UTC on August 25 BST (that’s 07:27 p.m. EST, August 25).
Additional clean-up efforts required
There have been other instances when the FBI has been given legal permission to disable or remove malware from compromised devices. Earlier this year, they went after the Snake malware, and in 2021 they removed malicious web shells from US-based Microsoft Exchange servers.
With Qakbot being one of the most prevalent malware out there and leading to more infections and disruptions, it’s no wonder the FBI aimed to uninstall it and take down the botnet’s infrastructure.
Abuse.ch, an organization that focuses on identifying, tracking and sharing threat intelligence about cyber threats, shows that all the original Qakbot C2 servers are currently offline.
Since Qakbot also tries to steal email credentials so that the botnet operators can leverage compromised email accounts to deliver the malware to more potential victims, the Have I Been Pwned service and the Dutch National Police allow users to check whether they are among the victims.
But even if they don’t find their email there, it doesn’t mean that they haven’t been infected with Qakbot. The infection is usually imperceptible, and FBI’s removal of the malware is similarly unnoticeable to users.
“The FBI has identified the IP addresses of many putative victim computers. Based on publicly available records and IP address geolocation, the FBI can determine the geographic region where devices using a specific IP address are likely to be located,” the Bureau stated.
The list of IPs has been shared with organizations such as The Spamhaus Project, which will notify email service providers and hosting companies responsible for compromised accounts so they can reset the passwords on those accounts, and the Shadowserver Foundation, which will send a report to national computer security incident response team (CSIRTs) and network owners, to help them notify any remaining victims and help them deal with the other malware delivered by Qakbot.
UPDATE (August 30, 2023, 03:50 a.m. ET):
CISA and FBI has shared more information and indicators of compromise to help organizations detect and protect against QakBot-related activity and malware.