Categories: cyber security

Is QakBot Malware Officially Dead?

Only a few malware families can claim to have persisted for nearly twenty years, and QakBot (also referred to as QBot) stands among them as one of the most enduring. Since its first appearance in 2008, it has been deployed in numerous attacks, causing significant financial losses of hundreds of millions of dollars.

However, it appears that the recent actions taken by the FBI in cracking down on QakBot’s operations may have dealt a fatal blow to the malware’s activities. Despite this, the past has shown us that malware can sometimes recover from such setbacks.

What is QakBot?

QakBot is a malware family with a modular design that allows it to operate both as a Remote Access Trojan (RAT) and a loader. Historically, attacks involving this malicious software have primarily targeted businesses in the United States and focused on stealing banking information and other financial credentials.

The malicious software leverages man-in-the-browser functionality, which enables it to execute web injections, manipulating the banking website content that victims view while browsing from an infected device. 

QakBot also exhibits worm-like behavior, allowing it to propagate through shared drives and network systems, further complicating its eradication efforts.

Considering the malware’s primary emphasis on the corporate sector, its most prevalent means of infiltrating systems has been through a malicious document distributed as part of phishing campaigns. For instance, the typical execution path of such a maldoc can be traced using ANY.RUN’s analysis of a QBot sample.

The process tree created by the QBot sample

The attack begins with a victim downloading the maldoc, which, upon launch, initiates a series of processes by leveraging macros. From there, QBot uses cmd.exe to start a chain of commands and executions, creating folders and temporary files. The trojan then utilizes Powershell to download the payload, which often has a simple name of six digits or letters and a .png extension, despite being an executable file. 

Once QBot begins its main execution, it attempts to evade detection by overwriting itself with legitimate Windows processes like calc.exe (calculator), injecting explorer.exe, and adding itself to autorun to gain persistence.

Document
Start with a free account

See the execution path of any malicious file or link with ANY.RUN. !

Interact with the VM for up to 20 mins, collect IOCs and configurations, and enjoy unlimited analysis for free.

The FBI’s Disruption of QBot’s Operations

In August 2023, the FBI announced that in collaboration with other law enforcement agencies, it had successfully taken down the QBot network, resulting in the elimination of the malware from over 700,000 infected computers.

The operation involved accessing Qakbot’s command-and-control infrastructure and redirecting its traffic to the FBI’s servers. These servers then instructed infected computers to download an uninstaller file, effectively removing the malware from the machines.

The agency recovered millions of dollars in cryptocurrency and credentials of more than 6 million victims, including email addresses and passwords. Additionally, the FBI seized 52 servers, which will permanently dismantle the botnet.

Will this put an end to QBot?

Still, the question remains: Will the recent successful operation be the final nail in QBot’s coffin? Unfortunately, it is unlikely, as plenty of similar precedents have existed.

For instance, in 2021, international law enforcement agencies, including the FBI, took down Emotet, one of the largest botnets in history, responsible for infecting over a million computers globally. Interestingly, the tactic employed by the agencies was similar to the one used against QBot: Access to the botnet’s infrastructure was gained, and the malware was uninstalled from all the infected machines using special software. However, 10 months after the crackdown, Emotet was back to its entire operation.

Such precedents demonstrate that QakBot still has the potential to return more robust than before, especially given that no arrests of the actual group of developers behind the malware have been made. All of this suggests that QBot is likely to regain its lost position as one of the most persistent threats.

Conclusion

Although QakBot may have been temporarily removed from the global threat landscape, it is crucial to remain cautious and prepared for its return in the future. To be equipped to rise to any cybersecurity challenge, use ANY.RUN. 

It is a regularly updated malware sandbox with an excellent track record of exposing the malicious activities of the newest threats and the latest versions of the existing ones. 

Coupled with its unmatched interactivity and a wide selection of VM configuration settings, ANY.RUN will be your best partner in conducting in-depth analysis of the most advanced malware samples in the comfort of an intuitive web interface.

You can use ANY.RUN sandbox for free without limit to get nearly instant reports on any file or link, gain an in-depth look at their activities, and discover the latest samples in the service’s database. 

Cyber Writes

Work done by a Team Of Security Experts from Cyber Writes (www.cyberwrites.com) - World’s First Dedicated Content-as-a-Service (CaaS) Platform for Cybersecurity. For Exclusive Cyber Security Contents, Reach at: business@cyberwrites.com

Recent Posts

Critical TP-Link DHCP Vulnerability Let Attackers Execute Arbitrary Code Remotely

A critical security flaw has been uncovered in certain TP-Link routers, potentially allowing malicious actors…

3 hours ago

Chinese SilkSpecter Hackers Attacking Black Friday Shoppers

SilkSpecter, a Chinese financially motivated threat actor, launched a sophisticated phishing campaign targeting e-commerce shoppers…

6 hours ago

Cybercriminals Launch SEO Poisoning Attack to Lure Shoppers to Fake Online Stores

The research revealed how threat actors exploit SEO poisoning to redirect unsuspecting users to malicious…

6 hours ago

Black Basta Ransomware Leveraging Social Engineering For Malware Deployment

Black Basta, a prominent ransomware group, has rapidly gained notoriety since its emergence in 2022…

6 hours ago

Critical Laravel Vulnerability CVE-2024-52301 Allows Unauthorized Access

CVE-2024-52301 is a critical vulnerability identified in Laravel, a widely used PHP framework for building…

8 hours ago

4M+ WordPress Websites to Attacks, Following Plugin Vulnerability

A critical vulnerability has been discovered in the popular "Really Simple Security" WordPress plugin, formerly…

10 hours ago