Only a few malware families can claim to have persisted for nearly twenty years, and QakBot (also referred to as QBot) stands among them as one of the most enduring. Since its first appearance in 2008, it has been deployed in numerous attacks, causing significant financial losses of hundreds of millions of dollars.
However, it appears that the recent actions taken by the FBI in cracking down on QakBot’s operations may have dealt a fatal blow to the malware’s activities. Despite this, the past has shown us that malware can sometimes recover from such setbacks.
QakBot is a malware family with a modular design that allows it to operate both as a Remote Access Trojan (RAT) and a loader. Historically, attacks involving this malicious software have primarily targeted businesses in the United States and focused on stealing banking information and other financial credentials.
The malicious software leverages man-in-the-browser functionality, which enables it to execute web injections, manipulating the banking website content that victims view while browsing from an infected device.
QakBot also exhibits worm-like behavior, allowing it to propagate through shared drives and network systems, further complicating its eradication efforts.
Considering the malware’s primary emphasis on the corporate sector, its most prevalent means of infiltrating systems has been through a malicious document distributed as part of phishing campaigns. For instance, the typical execution path of such a maldoc can be traced using ANY.RUN’s analysis of a QBot sample.
The attack begins with a victim downloading the maldoc, which, upon launch, initiates a series of processes by leveraging macros. From there, QBot uses cmd.exe to start a chain of commands and executions, creating folders and temporary files. The trojan then utilizes Powershell to download the payload, which often has a simple name of six digits or letters and a .png extension, despite being an executable file.
Once QBot begins its main execution, it attempts to evade detection by overwriting itself with legitimate Windows processes like calc.exe (calculator), injecting explorer.exe, and adding itself to autorun to gain persistence.
Interact with the VM for up to 20 mins, collect IOCs and configurations, and enjoy unlimited analysis for free.
The FBI’s Disruption of QBot’s Operations
In August 2023, the FBI announced that in collaboration with other law enforcement agencies, it had successfully taken down the QBot network, resulting in the elimination of the malware from over 700,000 infected computers.
The operation involved accessing Qakbot’s command-and-control infrastructure and redirecting its traffic to the FBI’s servers. These servers then instructed infected computers to download an uninstaller file, effectively removing the malware from the machines.
The agency recovered millions of dollars in cryptocurrency and credentials of more than 6 million victims, including email addresses and passwords. Additionally, the FBI seized 52 servers, which will permanently dismantle the botnet.
Will this put an end to QBot?
Still, the question remains: Will the recent successful operation be the final nail in QBot’s coffin? Unfortunately, it is unlikely, as plenty of similar precedents have existed.
For instance, in 2021, international law enforcement agencies, including the FBI, took down Emotet, one of the largest botnets in history, responsible for infecting over a million computers globally. Interestingly, the tactic employed by the agencies was similar to the one used against QBot: Access to the botnet’s infrastructure was gained, and the malware was uninstalled from all the infected machines using special software. However, 10 months after the crackdown, Emotet was back to its entire operation.
Such precedents demonstrate that QakBot still has the potential to return more robust than before, especially given that no arrests of the actual group of developers behind the malware have been made. All of this suggests that QBot is likely to regain its lost position as one of the most persistent threats.
Conclusion
Although QakBot may have been temporarily removed from the global threat landscape, it is crucial to remain cautious and prepared for its return in the future. To be equipped to rise to any cybersecurity challenge, use ANY.RUN.
It is a regularly updated malware sandbox with an excellent track record of exposing the malicious activities of the newest threats and the latest versions of the existing ones.
Coupled with its unmatched interactivity and a wide selection of VM configuration settings, ANY.RUN will be your best partner in conducting in-depth analysis of the most advanced malware samples in the comfort of an intuitive web interface.
You can use ANY.RUN sandbox for free without limit to get nearly instant reports on any file or link, gain an in-depth look at their activities, and discover the latest samples in the service’s database.