FBI on a Wild Duck Hunt after Qakbot

The FBI and law enforcement agencies have orchestrated an unprecedented strike against the Qakbot botnet, effectively quelling a longstanding digital menace. Aptly named “Operation Duck Hunt,” this effort led by the FBI has successfully eradicated Qakbot’s infrastructure and uninstalled the malware from the very devices it had plagued.

Qakbot, known as Qbot and Pinkslipbot, emerged in 2008 as a banking trojan. Over time, its purpose evolved to serve a more sinister agenda, acting as a springboard for many cyber threats. Employed in phishing campaigns, the malware would insidiously infiltrate devices, paving the way for ransomware attacks, data theft, and other malicious activities.

The FBI infiltrated Qakbot’s network, assuming control of its communication channels and identifying 700,000 infected devices worldwide (with 200,000 in the U.S.). 

How the FBI Dismantled Qakbot

The anatomy of the botnet revealed a hierarchical structure, including Tier-1, Tier-2, and Tier-3 servers. Tier-1 servers were devices harboring a “supernode” module, functioning as part of the command and control framework, some of which were situated in the U.S. Meanwhile, Tier-2 servers were operated by the Qakbot administrators from servers outside the country.

The communication network was intricately woven, with Tier-3 servers serving as central command hubs, issuing orders to execute commands and delivering new malicious software modules to the compromised devices.

Armed with encryption keys obtained from infiltrating Qakbot’s infrastructure, the FBI crafted a new “supernode” module. This replacement module featured encryption keys unknown to the malware operators, effectively locking them out of their network.

The FBI then designed a custom removal tool, a Windows DLL, pushed to infected devices from the now-hijacked Tier-1 servers. This tool executed a command that halted the Qakbot malware process on the infected machines, effectively neutralizing its activity.

The operation was meticulously orchestrated, with the FBI’s actions authorized by a judge to ensure limited scope, focusing solely on removing the malware. Importantly, this removal didn’t require writing or reading to the devices’ hard drives, preventing residual traces.

The story is far from over as the dust settles from this triumphant encounter. The FBI made no arrests, leaving the door open for Qakbot’s operators to regroup and poke their heads out again in the digital waters.

Skip to content