\n<\/p>\n
A global law<\/span> enforcement operation this week took down and dismantled<\/a> the notorious Qakbot botnet, touted as the largest U.S.-led financial and technical disruption of a botnet infrastructure.<\/p>\n Qakbot is a banking trojan that became infamous for providing an initial foothold on a victim\u2019s network<\/a> for other hackers to buy access and deliver their own malware, such as ransomware. U.S. officials said Qakbot has helped to facilitate more than 40 ransomware attacks over the past 18 months alone, generating $58 million in ransom payments.<\/p>\n The law enforcement operation, named \u201cOperation Duck Hunt,\u201d saw the FBI and its international partners seize Qakbot\u2019s infrastructure located in the United States and across Europe. The U.S. Department of Justice, which ran the operation alongside the FBI, also announced the seizure of more than $8.6 million in cryptocurrency from the Qakbot cybercriminal organization, which will soon be made available to victims.<\/p>\n In Tuesday\u2019s announcement, the FBI said it carried out an operation that redirected the botnet\u2019s network traffic to servers under the U.S. government\u2019s control, allowing the feds to take control of the botnet. With this access, the FBI used the botnet to instruct Qakbot-infected machines around the world into downloading an FBI-built uninstaller that untethered the victim\u2019s computer from the botnet, preventing further installation of malware through Qakbot.<\/p>\n The FBI said its operation had identified approximately 700,000 devices infected with Qakbot as of June \u2014 including more than 200,000 located in the United States. During a call with reporters, a senior FBI official said that the total number of Qakbot victims is likely in the \u201cmillions.\u201d<\/p>\n Here\u2019s how Operation Duck Hunt went down.<\/p>\n According to the application for the operation\u2019s seizure warrant<\/a>, the FBI identified and gained access to the servers running the Qakbot botnet infrastructure hosted by an unnamed web hosting company, including systems used by the Qakbot administrators. The FBI also asked the court to require the web host to secretly produce a copy of the servers to prevent the host from notifying its customers, the Qakbot administrators.<\/p>\n Some of the systems the FBI got access to include the Qakbot\u2019s stack of virtual machines for testing their malware samples against popular antivirus engines, and Qakbot\u2019s servers for running phishing campaigns named after former U.S. presidents, knowing well that political-themed emails are likely to get opened. The FBI said it was also able to identify Qakbot wallets that contained crypto stolen by Qakbot\u2019s administrators.<\/p>\n \u201cThrough its investigation, the FBI has gained a comprehensive understanding of the structure and function of the Qakbot botnet,\u201d the application reads, describing its plan for the botnet takedown. \u201cBased on that knowledge, the FBI has developed a means to identify infected computers, collect information from them about the infection, disconnect them from the Qakbot botnet, and prevent the Qakbot administrators from further communicating with those infected computers.\u201d<\/p>\n Qakbot uses a system of tiered systems \u2014 described as Tier 1, Tier 2, and Tier 3 \u2014 to control the malware installed on infected computers around the world, according to the FBI and findings<\/a> by U.S. cybersecurity agency CISA.<\/p>\n The FBI said that Tier 1 systems are ordinary home or business computers \u2014 many of which were located in the United States \u2014 infected with Qakbot that also have an additional \u201csupernode\u201d module, which makes them part of the botnet\u2019s international control infrastructure. Tier 1 computers communicate with Tier 2 systems, which serve as a proxy for network traffic to conceal the main Tier 3 command and control server, which the administrators use to issue encrypted commands to its hundreds of thousands of infected machines.<\/p>\n With access to these systems and with knowledge of Qakbot\u2019s encryption keys, the FBI said it could decode and understand Qakbot\u2019s encrypted commands. Using those encryption keys, the FBI was able to instruct those Tier 1 \u201csupernode\u201d computers into swapping and replacing the supernode module with a new module developed by the FBI, which had new encryption keys that would lock out the Qakbot administrators from their own infrastructure.<\/p>\n According to an analysis<\/a> of the takedown efforts from cybersecurity company Secureworks, the delivery of the FBI module began on August 25 at 7:27pm in Washington DC.<\/p>\n The FBI then sent commands instructing those Tier 1 computers to communicate instead with a server that the FBI controlled, rather than Qakbot\u2019s Tier 2 servers. From there, the next time that a Qakbot-infected computer checked in with its servers \u2014 every one to four minutes or so \u2014 it would find itself seamlessly communicating with an FBI server instead.<\/p>\n After Qakbot-infected computers were funneled to the FBI\u2019s server, the server instructed the computer to download an uninstaller that removes the Qakbot malware altogether. (The uninstaller file was uploaded<\/a> to VirusTotal, an online malware and virus scanner run by Google.) This doesn\u2019t delete or remediate any malware that Qakbot delivered, but would block and prevent another initial Qakbot infection.<\/p>\n The FBI said that its server \u201cwill be a dead end,\u201d and that it \u201cwill not capture content from the infected computers,\u201d except for the computer\u2019s IP address and associated routing information so that the FBI can contact Qakbot victims.<\/p>\n \u201cThe Qakbot malicious code is being deleted from victim computers, preventing it from doing any more harm,\u201d prosecutors said Tuesday.<\/p>\n This is the most recent operational takedown the FBI has carried out in recent years.<\/p>\n In 2021, the feds carried out the first-of-its-kind operation to remove backdoors<\/a> planted by Chinese hackers on hacked Microsoft Exchange email servers. A year later, the FBI disrupted a massive botnet<\/a> used by Russian spies to launch powerful and disruptive cyberattacks designed to knock networks offline, and, earlier this year, knocked another Russian botnet offline<\/a> that had been operating since at least 2004.<\/p>\n<\/p><\/div>\nHow did the operation work?<\/h2>\n
Swap, replace, uninstall<\/h2>\n