CISA Alert AA23-242A: Operation Duck Hunt - Taking Down QakBot Botnet

The Red Report 2023

The Top 10 MITRE ATT&CK Techniques Used by Adversaries

DOWNLOAD

On August 30th, 2023, The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) released a joint advisory on QakBot Botnet [1]. QakBot network has been active since 2007 and has become one of the largest botnets, infecting more than 700,000 computers.  In a coordinated effort, law enforcement and cybersecurity agencies were able to disrupt and take over the QakBot infrastructure. In the advisory, CISA advises organizations to validate their security controls against QakBot-affiliated malware and mitigate their security gaps.

In this blog, we explained the QakBot network and Operation Duck Hunt in detail.

Simulate Botnet Malware Attacks with 14-Day Free Trial of Picus Platform

What is QakBot Botnet?

Qakbot started its operations as a banking trojan and is known to be active since 2007. Qakbot is also known as Qbot and Pinkslipbot. Over time, QakBot malware evolved with newer variants and gained several new capabilities such as keylogger, malware dropper, worm, and backdoor. It also adopted advanced persistence and defense evasion techniques to evade detection. In its latest variants, QakBot malware became a full-fledged botnet and is utilized by many threat actors as a malware delivery service for ransomware, cyber espionage, and other malicious cyber activities. Qakbot is used in many ransomware operations, including ProLock, Egregor, REvil, Conti, RansomExx, Black Basta, and BlackCat (ALPHV). It is estimated that Qakbot caused more than $58 million of damages in ransomware payments.

Qakbot used phishing as a major malware distribution channel. The malware is often delivered as a malicious attachment or link. These malicious attachments are in the form of Microsoft Office documents with malicious macros, OneNote files with embedded malware, and ISO attachments with malicious executables. Qakbot operators designed their phishing attacks to exploit zero-day vulnerabilities in Windows operating systems.

After initial access, QakBot establishes persistence in the infected host via the Registry Run Key. Using process injection into legitimate Windows processes, QakBot hides its presence and evades defensive security controls. 

QakBot
Figure 1: QakBot's Tiered C2 Servers [1]

As its main objective, QakBot scans the infected host for information to steal and exfiltrates sensitive data to its C2 servers. The operators of the botnet use a three-tiered C2 infrastructure to evade detection. Supernodes of the botnet act as an intermediary between Upstream Proxies and relay commands and communications to and from Qakbot-infected hosts. As of June 2023, 853 supernodes have been identified in 63 countries. These numbers reflect the scale of how large the QakBot operation is and how many victims it impacted. As the brains of the operation, the Tier 3 server controls the entire botnet through Upstream Proxies.

The level of sophistication and size of the QakBot Botnet allowed its operators to conduct and facilitate major cyber attack campaigns with its affiliated threat actors.

Operation Duck Hunt: Dismantling the QakBot Botnet

For nearly 16 years, QakBot Botnet infected malware and facilitated cyber criminal activities. QakBot and its affiliates targeted financial services, governments, IT infrastructures, healthcare organizations, and many others, causing damages and disruption globally.

On August 25th, 2023, law enforcement and cybersecurity agencies from various countries dismantled the QakBot infrastructure through Operation Duck Hunt [2]. After seizing the Tier 3 C2 server of QakBot operators, a special removal tool is deployed to remove the QakBot malware from infected devices. Agencies were also able to gain access to QakBot admin computers and seize cryptocurrency wallets used by Qakbot operators containing nearly $9 million.

In their advisory, CISA warned organizations that disruption of QakBot infrastructure does not guarantee mitigation of QakBot or other previously installed malware in the victims' computers. Organizations are advised to validate their security controls against QakBot and other affiliated malware and apply mitigation measures as soon as possible.

How Picus Helps Simulate QakBot Malware Attacks?

We also strongly suggest simulating QakBot malware attacks to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Complete Security Validation Platform. You can also test your defenses against hundreds of other botnet threat actors, such as Mirai, Necurs, Zeus, and Trickbot, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for QakBot malware

Threat ID

Threat Name

Attack Module

98558

Qbot Malware Attack Campaign 2021

Windows Endpoint

84228

Qakbot Malware Downloader Download Threat

Network Infiltration

44453

Qakbot Malware Downloader Email Threat

Email Infiltration (Phishing)

78858

Qakbot Malware Dropper Download Threat

Network Infiltration

42084

Qakbot Malware Dropper Email Threat

Email Infiltration (Phishing)

97665

Qakbot Banking Malware Download Threat

Network Infiltration

36186

Qakbot Banking Malware Email Threat

Email Infiltration (Phishing)

61744

Qakbot Trojan Download Threat

Network Infiltration

77458

Qakbot Trojan Email Threat

Email Infiltration (Phishing)

82572

Qbot / Qakbot Trojan Download Threat - 1

Network Infiltration

25753

Qbot / Qakbot Trojan Email Threat

Email Infiltration (Phishing)

33661

Qbot / Qakbot Trojan Download Threat - 2

Network Infiltration

23971

QAKBOT Loader Download Threat

Network Infiltration

55980

QAKBOT Loader Email Threat

Email Infiltration (Phishing)

91678

QakBot Banking Trojan Downloader Download Threat

Network Infiltration

76711

QakBot Banking Trojan Downloader Email Threat

Email Infiltration (Phishing)

Moreover, Picus Threat Library contains 300+ threats containing 3000+ web application and vulnerability exploitation attacks in addition to 1500+ endpoint, 8000+ malware, email and data exfiltration threats as of today.

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address QakBot malware and other malware attacks in preventive security controls. Currently, Picus Labs validated the following signatures for QakBot malware:

Security Control

Signature ID

Signature Name

Check Point NGFW

0F8A6F35C

Infostealer.Win32.QBot.TC.a64aEPSC

Check Point NGFW

0A24C9E56

Infostealer.Win32.QBot.TC.224azHGX

Check Point NGFW

0EF4A99DE

Infostealer.Win32.QBot.TC.490fYKyN

Check Point NGFW

0F72D14D6

Infostealer.Win32.QBot.TC.2a8dPhOe

Check Point NGFW

0A35FDD5B

Infostealer.Win32.QBot.TC.9fbbdrjj

Check Point NGFW

09F68EF0A

Infostealer.Win32.QBot.TC.b794uZbb

Check Point NGFW

0BC1E8DDD

Infostealer.Win32.QBot.TC.73e6ApqL

Check Point NGFW

097F3B681

Infostealer.Win32.QBot.TC.987dAQHw

Check Point NGFW

094AD8571

Infostealer.Win32.QBot.TC.183eKDIX

Check Point NGFW

0C061AD12

Infostealer.Win32.QBot.TC.8116NAyF

Check Point NGFW

0824E92C9

Infostealer.Win32.QBot.TC.887duMso

Check Point NGFW

0FDA83739

Infostealer.Win32.QBot.TC.525aUarl

Check Point NGFW

082A40A63

TS_APT.Win32.MustangPanda.TC.4a5fHkzq

Check Point NGFW

0CFA8509D

Trojan.Win32.Banking.Win32.Qbot.TC.f77ectSU

Check Point NGFW

0D144397A

TS_APT.Win32.MustangPanda.TC.8cf9UvyH

Check Point NGFW

0806D13DF

TS_APT.Win32.MustangPanda.TC.4885

Check Point NGFW

0CA63BD2C

Banking.Win32.Qbot.TC.csfx

Check Point NGFW

0FD9E231D

TS_APT.Win32.MustangPanda.TC.7796Oztb

Check Point NGFW

08A47D321

TS_APT.Win32.MustangPanda.TC.6883gVfQ

Check Point NGFW

097379CEF

Banking.Win32.Qbot.TC.fuh

Check Point NGFW

086E60399

TS_APT.Win32.MustangPanda.TC.c56eeXub

Check Point NGFW

096FCD9FE

Banking.Win32.Qbot.TC.csfu

Check Point NGFW

0BF1FAA86

TS_APT.Win32.MustangPanda.TC.494aG

Check Point NGFW

08449F95C

Trojan.Win32.Qbot.TC.8c75ulra

Check Point NGFW

0D79CCDF5

Trojan.Win32.SilentBuilder.TC.ld

Check Point NGFW

0E16246EE

Ransomware.Win32.Conti.TC.db

Check Point NGFW

0D89FB412

Ransomware.Win32.Conti.TC.cz

Check Point NGFW

0EFED8A78

Trojan.Win32.Malicious Binary.TC.dc37ONvF

Cisco FirePower

 

W32.Auto:eadbac.in03.Talos

Cisco FirePower

 

Pdf.Downloader.Qakbot.MRT.Talos

Cisco FirePower

 

W32.Auto:ce0b6e.in03.Talos

Cisco FirePower

 

W32.Auto:a837d6.in03.Talos

Cisco FirePower

 

W32.56460C4133-95.SBX.TG

Cisco FirePower

 

W32.1F655F3030.qbot.in11.Talos

Cisco FirePower

 

W32.Auto:72b9c3.in03.Talos

Cisco FirePower

 

W32.Auto:f2f80e.in03.Talos

Cisco FirePower

 

Win.Dropper.Qbot::1201

Cisco FirePower

 

Doc.Trojan.Qakbot::MRTART::W32.50710334B8-100.SBX.TG

Cisco FirePower

 

Win.Dropper.Qbot::in03.talos

Cisco FirePower

 

W32.Auto:fcadad404a.in03.Talos

Cisco FirePower

 

Auto.12017410B5.242545.in07.Talos

Cisco FirePower

 

Xls.b860741a19.Codphish.MRT.Talos

Cisco FirePower

 

Xls.b421d126e1.Codphish.MRT.Talos

Cisco FirePower

 

Auto.9C3F2A3170.242546.in07.Talos

Forcepoint NGFW

 

File_Malware-Blocked

Fortigate AV

10128689

JS/Agent.F19F!tr

Fortigate AV

10132352

PDF/Phishing.EF14!tr

Fortigate AV

10137308

W64/Phishing.F755!tr

Fortigate AV

10138630

PDF/Qakbot.2PHP!tr

Fortigate AV

10132425

VBS/Agent.5A82!tr

Fortigate AV

62183

PossibleThreat

Fortigate AV

10090164

W32/Qbot.DM!tr

Fortigate AV

6697202

W32/Kryptik.DFOZ!tr

Fortigate AV

8180818

W32/Kryptik.HAZJ!tr

Fortigate AV

8026538

W32/GenKryptik.DDRU!tr

Fortigate AV

8240133

VBS/Agent.ZU!tr

Fortigate AV

8137058

W32/RTM.AG!tr

Fortigate AV

10105751

W32/Qbot.H!tr

Fortigate AV

10072425

MSExcel/Agent.2285!tr.dldr

Fortigate AV

10071319

MSExcel/Agent.CCA4!tr.dldr

McAfee

0x4840c900

MALWARE: Malicious File Detected by GTI

Palo Alto NGFW

584963994

Trojan/Win64.qakbot.ivc

Palo Alto NGFW

596938752

Virus/Win32.WGeneric.eaafmw

Palo Alto NGFW

574577053

trojan/Win32.qakbot.jbc

Palo Alto NGFW

584585070

Trojan/Win32.qakbot.ivl

Palo Alto NGFW

581930886

Virus/Win32.highconfidence.ao

Palo Alto NGFW

579439584

Trojan/Win32.qakbot.iqx

Palo Alto NGFW

45642966

Trojan-Spy/Win32.spyeyes.aqej

Palo Alto NGFW

113725964

Trojan/Win32.bublik.ttf

Palo Alto NGFW

373371762

trojan/Win32 EXE.qbot.qno

Palo Alto NGFW

543174446

trojan/Win32.fragtor.el

Palo Alto NGFW

453533813

Trojan-Downloader/MSOffice.sload.fuc

Palo Alto NGFW

453837674

Trojan-Downloader/MSOffice.sload.gad

Snort

1.54385.1

MALWARE-OTHER Win.Trojan.Qbot malicious executable download attempt

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trialof Picus The Complete Security Validation Platform.

References

[1] "Identification and Disruption of QakBot Infrastructure," Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-242a. [Accessed: Aug. 31, 2023]

[2] "Qakbot botnet infrastructure shattered after international operation," Europol. Available: https://www.europol.europa.eu/media-press/newsroom/news/qakbot-botnet-infrastructure-shattered-after-international-operation. [Accessed: Aug. 31, 2023]