Project Hyphae

Qakbot Takedown – It ain’t over yet…

Share This Post

The U.S. Justice Department announced on 8/29/2023 that the Qakbot infrastructure and botnet had been taken down by an international law-enforcement effort. Additionally, this group uninstalled the Qakbot malware from known-infected devices. This is great news! (wait for it…) According to the DOJ, funds were seized from the criminal organization as well. Also great news! (wait for it…)

Keep waiting for it while we give you a little more information on Qakbot.

Qakbot (sometimes called QBot, Q.Bot, and pinkslipbot) has been around since 2007. Originally it was utilized as a banking trojan and primarily used to steal financial information. Over the years, it has evolved into a very capable command-and-control malware with a ton of capabilities. We’ve worked many cases involving Qakbot, and it’s always a nightmare to deal with. The malware is polymorphic, meaning that it changes it’s code as it propagates and thus makes hash-based detection ineffective. It is incredibly difficult to deal with once it has infiltrated an organization’s network.

Alright, enough waiting.

Here’s where we bring you the not-so-great news. In our investigations, Qakbot is often used (very effectively) to install additional persistence mechanisms on victim systems. Since the international taskforce was able to uninstall Qakbot from infected machines, we may not have to be as concerned about Qakbot as we normally would’ve been, but we do have to be mindful of additional persistence mechanisms that may have been left behind, as those wouldn’t have been covered by the taskforce’s actions. Many times these additional persistence mechanisms are command-and-control frameworks (C2), other malware, and even similar trojans such as Trickbot.

We generally consider a Qakbot detection to be pre-ransomware activity, as the eventual goal is often to deploy ransomware to the organization. Qakbot seems to always bring friends (additional C2, malware, tools, etc.) so just cleaning up the Qakbot is likely not enough.

Additionally, and this is more of a hunch to be clear, given that the taskforce seized funds belonging to these attackers it’s quite possible that they will lash out utilizing these additional persistence mechanisms either through anger or an attempt to regain their lost funds.

It is critical that if you have been notified of a Qakbot infection, either through this taskforce’s actions or through a detection from your security tools, you must perform a threat-hunt in your organization. As we often discuss with people who reach out to us regarding a Qakbot infection, if you saw one detection for Qakbot, it’s very likely that you have many, many more that haven’t been picked up by your antivirus/EDR. Since it is often utilized to install additional C2 or other persistence mechanisms makes any known Qakbot infection somewhat of an emergency.

Again for emphasis, if you know that you had a Qakbot infection, there is a high likelihood that the attackers still have a mechanism to connect to your systems and inflict harm. This is similar to a major vulnerability announcement where we would recommend that you patch AND threat-hunt any impacted systems.

DOJ Notice:

Reach out to our incident response team for help

More To Explore

CVE-2024-3596 | Attackers Blasting RADIUS

CVE-2024-3596 | CVSS:9.0 A new and emerging attacked named “Blast-RADIUS”, allows a man-in-the-middle attack between the RADIUS client and server to forge a valid protocol

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.