Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

FBI Takes Down Qakbot

The US DoJ and FBI have announced their successful disruption of the long-running Qakbot malware botnet in an international operation called "Operation Duck Hunt".

Qakbot appeared in 2008, initially as a banking trojan, but in the years since then has evolved, thorugh continual updates, into a general-purpose trojan dropper or second-stage loader used by multiple threat actor groups as a remote access trojan; its modular design provides remote code execution, the ability to install ransomware, keystroke logging and other functions. It can also be classified as a worm, since it can propagate itself to other systems on a network. Over the years, it has proved popular with ransomware gangs such as REvil, ProLock, ALPHV/BlackCat and Lockbit, who use it in their big game hunting.

Threat actors have usually obtained initial access by using malmail phishing campaigns; their emails carry malicious files - sometimes MS Office documents with malicious macros, but also archives such as ISO images - which the victim is lured into opening and running. This then injects the Qakbot code into a the memory of a legitimate process, in order to evade detection.

The FBI operation, which was conducted with international partners in France, Germany, the Netherlands, Romania, Latvia, and the United Kingdom, involved accessing the Qakbot C2 infrastructure; this allowed the identification of over 700,000 Qakbot-infected computers worldwide, including over 200,000 in the US. The Qakbot botnet traffic was then redirected to servers controlled by the FBI.

Now comes the "clever" part: in conjunction with technical partners, the FBI developed an uninstaller program for Qakbot, and their servers instruced the infected computers to download and run the uninstaller. The uninstaller consists of shellcode to unpack a custom DLL which sends a QPCMD_BOT_SHUTDOWN command via a named pipe which Qakbot uses for interprocess communications. This has the effect of shutting the Qakbot main thread and exiting the process in such a way that it will not restart after a reboot.

Many users will have been unaware that their systems had been infected, and the FBI's removal process is similarly invisible, so possible victims should check with services like https://haveibeenpwned.com/ to discover whether they were affected.

This operation has significantly disrupted the Qakbot botnet, but no arrests have been made, so its operators will doubtless be back with a new generation of their malware. In the meantime, the way the FBI invisibly distributed their uninstaller program is bound to renew debate about the ethical basis of the no-longer-quite-so-hypothetical 'good virus' approach to defeating malware. The argument used to be that users should be in control of every piece of code that runs on their system, but the complexity and opacity of todays operating systems and applications means that that particular horse bolted from the stable years ago.

Office of Public Affairs, US Department of Justice, Qakbot Malware Disrupted in International Cyber Takedown, press release, 29 August 2023. Available online at https://www.justice.gov/opa/pr/qakbot-malware-disrupted-international-cyber-takedown.

Federal Bureau of Investigation, FBI, Partners Dismantle Qakbot Infrastructure in Multinational Cyber Takedown, news release, 29 August 2023. Available online at https://www.fbi.gov/news/stories/fbi-partners-dismantle-qakbot-infrastructure-in-multinational-cyber-takedown.

Secureworks, Law Enforcement Takes Down Qakbot, blog post, 29 August 2023. Available online at https://www.secureworks.com/blog/law-enforcement-takes-down-qakbot.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.