Qakbot's backbot: FBI-led takedown keeps crims at bay for just 3 months

Multiple sources are confirming the resurgence of Qakbot malware mere months after the FBI and other law enforcement agencies shuttered the Windows botnet.

Microsoft Threat Intelligence reckons a new Qakbot phishing campaign is active as of December 11 but attack attempts are currently low in volume.

The gang targets the hospitality sector, initially using phishing emails containing malicious PDF attachments that they've doctored to look like they come from the US Internal Revenue Service (IRS).

When opened, the PDF presents the target with an error screen indicating a preview of the document isn't available, alongside a button to download the document from "AdobeCloud."

Germán Fernández, security researcher at CronUp, said the same PDF template was used by Pikabot operators just days earlier – Windows malware that shares many similarities with Qakbot. Both are being associated with attacks from the group Proofpoint tracks as TA577.

Clicking the button in the PDF led to the download and installation of Qakbot, which Microsoft said may have been an updated payload. The previously unseen version, 0x500, was generated on December 11, according to its analysis.

The team at Zscaler ThreatLabz confirmed that the payload was updated, and the new version has a 64-bit architecture, uses AES for network encryption, and sends POST requests to path /teorema505.

Two researchers at Proofpoint, Tommy Madjar and Pim Trouerbach, also confirmed they had spotted updated Qakbot activity, but the new features only amount to "minor tweaks." 

They added that the new Qakbot activity goes back to November 28, roughly two weeks further than December 11 – the date Microsoft first spotted it.

Qakbot's takedown

August saw the conclusion of Operation Duck Hunt with what authorities said at the time was a takedown of Qakbot, seizing its infrastructure and 20 of its operators' crypto wallets.

The FBI, which oversaw Op Duck Hunt, said it was "the most significant technological and financial operation ever led by the Department of Justice against a botnet." 

The operation was also supported by authorities in the UK, France, Germany, the Netherlands, and Latvia, but didn't result in any arrests.

Dan Schiappa, chief product officer at security shop Arctic Wolf, said while praise should certainly go to the authorities that worked to bring down the original botnet, Qakbot's resurgence illustrates the difficulty in tackling cybercrime, especially without making arrests.

"The fact this botnet appears to have come back to life, as have others in the past, shows the challenge that we all have dealing with organized crime gangs who often run these sorts of campaigns. At times it can feel like we are playing a game of Whac a Mole… as soon as it's shut down it springs back somewhere else.

"What we need to recognize is that malware networks like Qakbot are businesses for the bad guys who operate a fluid and flexible business model. It means they can spin up new opportunities quickly to continue their lucrative activities, and bring online new resources to keep their businesses running. These organizations anticipate infrastructure being brought down and they are prepared to resurface like a Phoenix.

• Black Basta ransomware operation nets over $100M from victims in less than two years
• Leader of pro-Russia DDoS crew Killnet 'unmasked' by Russian state media
• Look out, Scattered Spider. FBI pumps 'significant' resources into snaring data-theft crew
• US officials close to persuading allies to not pay off ransomware crooks

"They also know that too many enterprises still fail to patch software or upgrade their security posture in the light of new threats. We encourage organizations to remain vigilant, implement robust cybersecurity measures, and educate their employees about the risks associated with phishing emails and other cyber threats."

Qakbot's revival may not come as a surprise to some, since Emotet was also taken down by an internationally co-ordinated law enforcement operation in 2021 but resurfaced again later that year.

At its height, Emotet controlled more than 1 million machines and was widely understood to be the most developed botnet in the world.

Emotet's return was met with concern from the infosec industry at the time, and in less than a year after its takedown it was once again ranked the number-one malware in operation.

However, since 2022, Emotet has tailed off, flittering between periods of activity and silence, and has laid dormant for months following a brief surge in March.

Jakub Kaloč, malware researcher at ESET, said in a July blog that Emotet's extended period of downtime is likely due to it "failing to find an effective, new attack vector."

Speaking to The Register, Selena Larson, senior threat intelligence analyst at Proofpoint, said there is still evidence to show that Operation Duck Hunt's disruption has had an impact on Qakbot's operations, but it may mirror Emotet's downfall and take time for it to fully die off.

"At this time Proofpoint is unable to assess with high confidence whether the Qbot activity will continue to limp along and have limited impact across the landscape or return to its previous activity levels," said Larson. 

"However, researchers can compare the activity to Emotet's return to the threat landscape after law enforcement disruption in 2021: Emotet returned with high-volume campaigns in late 2021 through 2022, but the botnet did not regain its earlier prominence and has not been observed in campaign data since March 2023."

Larson added: "It's also worth noting the Qbot law enforcement disruption removed hundreds of thousands of infections, which would significantly hamstring any recurring operations and require some rebuilding on the effort of the threat actors." ®