Operation Duck Hunt takes down QakBot malware responsible for global financial fraud and ransomware on 700,000 computers.
Operation Duck Hunt takes down QakBot malware responsible for global financial fraud and ransomware on 700,000 computers.
On Tuesday, U.S. authorities announced that a multinational operation had taken down a network that had infected hundreds of thousands of computers with malware and caused hundreds of millions of dollars in damage from cyberattacks around the globe.
Consequently, the U.S. Justice Department (DoJ) has said that the malware has been removed from victims' computers so that it cannot continue to cause harm and that it has seized more than $8.6 million in cryptocurrency in illicit profits.
As part of the cross-border exercise, France, Germany, Latvia, Romania, the Netherlands, the U.K., and the U.S. participated, with Zscaler providing technical assistance.
The QakBot trojan, also known as Pinkslipbot or QBot, began as a banking trojan in 2007 before evolving into a Swiss Army knife that distributes malicious code on infected machines, including ransomware.
Among the most significant ransomware families propagated by QakBot are Conti, ProLock, Egregor, REvil, MegaCortex, and Black Basta. Between October 2021 and April 2023, QakBot administrators reportedly received fees equivalent to approximately $58 million in ransom payments from victims.
The Counter Threat Unit (CTU) of Secureworks identified the botnet on 25 August 2023, which distributes shellcode to infected devices and unpacks a custom DLL (dynamic link library) executable that contains code that is capable of terminating the running QakBot process on the host with the help of the QPCMD_BOT_SHUTDOWN command.
Besides its sophistication and adaptability, the operators can also weaponise a wide range of file formats in their attack chains (PDF, HTML, ZIP). QakBot's command-and-control (C2) servers are primarily located in the U.S., UK, India, Canada, and France (F.R.). Russia hosts its backend infrastructure.
As stated by the FBI, the infrastructure was disabled by tricking infected computers into downloading a file that directed the computers to uninstall the malware and untether themselves from the botnet.
According to senior FBI and Justice Department officials who spoke on the condition of anonymity to provide reporters with details about the operation, the affected victims would not be aware that the uninstall mechanism was active.
A senior official declined to comment on whether the Qakbot network was linked to any particular country. The FBI did not announce any arrests and said the investigation into who was behind the network is ongoing.
Want your digital assets to be protected?
CyberShelter provides innovative and modern cybersecurity products and niche services to individuals and organization against all kinds of cyber threats.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?