CISA Alert AA23-242A: Operation Duck Hunt - Taking Down QakBot Botnet

On August 30th, 2023, The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) released a joint advisory on QakBot Botnet [1]. QakBot network has been active since 2007 and has become one of the largest botnets, infecting more than 700,000 computers.  In a coordinated effort, law enforcement and cybersecurity agencies were able to disrupt and take over the QakBot infrastructure. In the advisory, CISA advises organizations to validate their security controls against QakBot-affiliated malware and mitigate their security gaps.

In this blog, we explained the QakBot network and Operation Duck Hunt in detail.

Simulate Botnet Malware Attacks with 14-Day Free Trial of Picus Platform

What is QakBot Botnet?

Qakbot started its operations as a banking trojan and is known to be active since 2007. Qakbot is also known as Qbot and Pinkslipbot. Over time, QakBot malware evolved with newer variants and gained several new capabilities such as keylogger, malware dropper, worm, and backdoor. It also adopted advanced persistence and defense evasion techniques to evade detection. In its latest variants, QakBot malware became a full-fledged botnet and is utilized by many threat actors as a malware delivery service for ransomware, cyber espionage, and other malicious cyber activities. Qakbot is used in many ransomware operations, including ProLock, Egregor, REvil, Conti, RansomExx, Black Basta, and BlackCat (ALPHV). It is estimated that Qakbot caused more than $58 million of damages in ransomware payments.

Qakbot used phishing as a major malware distribution channel. The malware is often delivered as a malicious attachment or link. These malicious attachments are in the form of Microsoft Office documents with malicious macros, OneNote files with embedded malware, and ISO attachments with malicious executables. Qakbot operators designed their phishing attacks to exploit zero-day vulnerabilities in Windows operating systems.

After initial access, QakBot establishes persistence in the infected host via the Registry Run Key. Using process injection into legitimate Windows processes, QakBot hides its presence and evades defensive security controls. 

Figure 1: QakBot's Tiered C2 Servers [1]

As its main objective, QakBot scans the infected host for information to steal and exfiltrates sensitive data to its C2 servers. The operators of the botnet use a three-tiered C2 infrastructure to evade detection. Supernodes of the botnet act as an intermediary between Upstream Proxies and relay commands and communications to and from Qakbot-infected hosts. As of June 2023, 853 supernodes have been identified in 63 countries. These numbers reflect the scale of how large the QakBot operation is and how many victims it impacted. As the brains of the operation, the Tier 3 server controls the entire botnet through Upstream Proxies.

The level of sophistication and size of the QakBot Botnet allowed its operators to conduct and facilitate major cyber attack campaigns with its affiliated threat actors.

Operation Duck Hunt: Dismantling the QakBot Botnet

For nearly 16 years, QakBot Botnet infected malware and facilitated cyber criminal activities. QakBot and its affiliates targeted financial services, governments, IT infrastructures, healthcare organizations, and many others, causing damages and disruption globally.

On August 25th, 2023, law enforcement and cybersecurity agencies from various countries dismantled the QakBot infrastructure through Operation Duck Hunt [2]. After seizing the Tier 3 C2 server of QakBot operators, a special removal tool is deployed to remove the QakBot malware from infected devices. Agencies were also able to gain access to QakBot admin computers and seize cryptocurrency wallets used by Qakbot operators containing nearly $9 million.

In their advisory, CISA warned organizations that disruption of QakBot infrastructure does not guarantee mitigation of QakBot or other previously installed malware in the victims' computers. Organizations are advised to validate their security controls against QakBot and other affiliated malware and apply mitigation measures as soon as possible.

How Picus Helps Simulate QakBot Malware Attacks?

We also strongly suggest simulating QakBot malware attacks to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Complete Security Validation Platform. You can also test your defenses against hundreds of other botnet threat actors, such as Mirai, Necurs, Zeus, and Trickbot, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for QakBot malware: 

Moreover, Picus Threat Library contains 300+ threats containing 3000+ web application and vulnerability exploitation attacks in addition to 1500+ endpoint, 8000+ malware, email and data exfiltration threats as of today.

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address QakBot malware and other malware attacks in preventive security controls. Currently, Picus Labs validated the following signatures for QakBot malware:

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trial  of Picus The Complete Security Validation Platform.

References

[1] "Identification and Disruption of QakBot Infrastructure," Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-242a. [Accessed: Aug. 31, 2023]

[2] "Qakbot botnet infrastructure shattered after international operation," Europol. Available: https://www.europol.europa.eu/media-press/newsroom/news/qakbot-botnet-infrastructure-shattered-after-international-operation. [Accessed: Aug. 31, 2023]