A coordinated law enforcement effort codenamed Operation Duck Hunt has felled QakBot, a notorious Windows malware family that's estimated to have compromised over 700,000 computers globally and facilitated financial fraud as well as ransomware.
To that end, the U.S. Justice Department (DoJ) said the malware is "being deleted from victim computers, preventing it from doing any more harm," adding it seized more than $8.6 million in cryptocurrency in illicit profits.
The cross-border exercise involved the participation of France, Germany, Latvia, Romania, the Netherlands, the U.K., and the U.S., alongside technical assistance from cybersecurity company Zscaler.
The dismantling has been hailed as "the largest U.S.-led financial and technical disruption of a botnet infrastructure leveraged by cybercriminals." No arrests were announced.
QakBot, also known as QBot and Pinkslipbot, started its life as a banking trojan in 2007 before morphing into a general-purpose Swiss Army knife that acts as a distribution center for malicious code on infected machines, including ransomware, unbeknownst to the victims.
Some of the major ransomware families propagated through QakBot comprise Conti, ProLock, Egregor, REvil, MegaCortex, and Black Basta. QakBot administrators are said to have received fees corresponding to approximately $58 million in ransoms paid by victims between October 2021 and April 2023.
"QakBot was a key enabler within the cyber crime ecosystem, facilitating ransomware attacks and other serious threats," Will Lyne, head of cyber intelligence at the U.K.'s National Crime Agency (NCA), said in a statement.
The counteroffensive against QakBot follows a similar takedown of Emotet in October 2020, which has since resurfaced following a major disruption to its backend infrastructure.
Typically distributed via phishing emails, the modular malware also comes fitted with command execution and information harvesting capabilities. It has seen constant updates during its lifetime, with the actors (codenamed Gold Lagoon or Mallard Spider) known to take extended breaks each summer before resuming their spamming campaigns.
"The victim computers infected with QakBot malware are part of a botnet (a network of compromised computers), meaning the perpetrators can remotely control all the infected computers in a coordinated manner," the DoJ said.
The joint effort, according to court documents, enabled access to QakBot infrastructure, thereby making it possible to redirect the botnet traffic to and through servers controlled by the U.S. Federal Bureau of Investigation (FBI) with the ultimate goal of neutralizing the "far-reaching criminal supply chain."
Specifically, the servers instructed the compromised endpoints to download an uninstaller file that's designed to untether the machines from the QakBot botnet, effectively preventing additional payloads from being delivered.
To that end, the U.S. Justice Department (DoJ) said the malware is "being deleted from victim computers, preventing it from doing any more harm," adding it seized more than $8.6 million in cryptocurrency in illicit profits.
The cross-border exercise involved the participation of France, Germany, Latvia, Romania, the Netherlands, the U.K., and the U.S., alongside technical assistance from cybersecurity company Zscaler.
The dismantling has been hailed as "the largest U.S.-led financial and technical disruption of a botnet infrastructure leveraged by cybercriminals." No arrests were announced.
QakBot, also known as QBot and Pinkslipbot, started its life as a banking trojan in 2007 before morphing into a general-purpose Swiss Army knife that acts as a distribution center for malicious code on infected machines, including ransomware, unbeknownst to the victims.
Some of the major ransomware families propagated through QakBot comprise Conti, ProLock, Egregor, REvil, MegaCortex, and Black Basta. QakBot administrators are said to have received fees corresponding to approximately $58 million in ransoms paid by victims between October 2021 and April 2023.
"QakBot was a key enabler within the cyber crime ecosystem, facilitating ransomware attacks and other serious threats," Will Lyne, head of cyber intelligence at the U.K.'s National Crime Agency (NCA), said in a statement.
The counteroffensive against QakBot follows a similar takedown of Emotet in October 2020, which has since resurfaced following a major disruption to its backend infrastructure.
Typically distributed via phishing emails, the modular malware also comes fitted with command execution and information harvesting capabilities. It has seen constant updates during its lifetime, with the actors (codenamed Gold Lagoon or Mallard Spider) known to take extended breaks each summer before resuming their spamming campaigns.
"The victim computers infected with QakBot malware are part of a botnet (a network of compromised computers), meaning the perpetrators can remotely control all the infected computers in a coordinated manner," the DoJ said.
The joint effort, according to court documents, enabled access to QakBot infrastructure, thereby making it possible to redirect the botnet traffic to and through servers controlled by the U.S. Federal Bureau of Investigation (FBI) with the ultimate goal of neutralizing the "far-reaching criminal supply chain."
Specifically, the servers instructed the compromised endpoints to download an uninstaller file that's designed to untether the machines from the QakBot botnet, effectively preventing additional payloads from being delivered.