September 29, 2023

The FBI’s latest takedown of the QakBot botnet despatched shockwaves all through the cybersecurity group when it was first introduced final week. QakBot had grow to be the malware of selection for dozens of hacking teams and ransomware outfits that used it to set the desk for devastating assaults.

Since rising in 2007 as a device used to assault banks, the malware advanced into one of the commonly-seen strains on the planet, luring an ever-increasing variety of machines into its highly effective net of compromised units. Justice Division officers mentioned their entry to the botnet’s management panel revealed it was harnessing the facility of greater than 700,000 machines, together with over 200,000 within the U.S. alone.

However nearly as attention-grabbing because the takedown was the best way regulation enforcement companies pulled off the disruption.

Senior FBI and Justice Division officers — who referred to as it “probably the most important technological and monetary operation ever led by the Division of Justice in opposition to a botnet” — defined in a briefing that they managed to infiltrate the botnet’s infrastructure and take a spread of actions to close it down.

Utilizing a court docket order, the regulation enforcement companies deployed the botnet’s auto-updating function in opposition to itself to ship out a customized utility that uninstalled QakBot and disabled the function on units within the U.S.

“It is as if the boss gave the order, ‘go away this office and do not come again,’” mentioned John Hammond, principal safety researcher on the cybersecurity intelligence agency Huntress.

Chester Wisniewski, subject CTO of utilized analysis at Sophos, mentioned the tactic reminded him of NotPetya, the place a software program downloader function was abused by Russian hackers to obtain malware as an alternative of updates.

“Nearly all fashionable botnets have auto replace performance and for those who can acquire management of the communications channels you possibly can basically make them self-destruct,” Wisniewski mentioned. “If we begin having success with that although, criminals might begin utilizing digital signatures to make this tougher.”

Different botnets

The FBI and different regulation enforcement companies have carried out comparable operations prior to now to take down botnet networks.

The FBI’s focusing on of the Kremlin-backed Snake malware in Could, in addition to the operation to disrupt the Cyclops Blink malware, are examples of the form of offensive actions regulation enforcement companies at the moment are taking to not simply take away malicious software program from units within the U.S. however scale back the dimensions of highly effective botnets inflicting important hurt.

Consultants floated different botnets that regulation enforcement might try and disrupt, like IcedID, LokiBot and AgentTesla. Verify Level Software program’s Sergey Shykevich mentioned that whereas the malware strains Formbook and Guloader are a bit totally different from QakBot, they is also taken down in an identical means.

Even so, previous takedowns — most notably that of Emotet — have finished little to cease teams from reforming.

Shykevich mentioned the QakBot operation could possibly be replicated below some situations, however it is dependent upon which property are below regulation enforcement management.

Within the Emotet takedown case, an replace file was despatched from servers to the victims so as to stop the botnet from additional communication with contaminated computer systems. Shykevich urged that the FBI might conduct a QakBot-like operation on Emotet, which has seen a resurgence lately because of hundreds of recent infections.

When requested about potential arrests to go together with the QakBot takedown, Justice Division and FBI officers would solely say that they weren’t saying any in the meanwhile.

“If the perps aren’t behind bars they’re more likely to proceed on and simply rebuild as there is just too a lot cash to stroll away,” Wisniewski mentioned.

“Exhausting to say if there are sealed indictments or in the event that they consider they could have spooked them into hiding although.”

It seems the FBI’s predominant focus was on stopping QakBot risk actors from reacquiring contaminated techniques within the present botnet, mentioned Secureworks Counter Menace Unit’s Keith Jarvis.

The risk actors could make an effort to reconstitute the botnet by creating a brand new one completely, he defined, including that the previous has proven takedowns not coupled with arrests often result in the risk actors making an attempt to come back again.

“However traditionally these makes an attempt have been largely ineffective,” he mentioned.

Shykevich warned that it’s nonetheless unclear if the QakBot operation was only a disruption that can halt their operations for just a few months or if it was a full takedown.

“Dismantled infrastructure does not immediately imply that supply code is destroyed, or that individuals have been arrested or the mission is decapitated,” he mentioned. “They may very properly nonetheless be working. They may reorganize, rebuild, rebrand. Maybe in time, Qakbot could possibly be again in motion, however we stay cautiously optimistic and rejoice these wins making a dent in opposition to cybercrime.”

Austin Berglas, a former particular agent within the FBI Cyber Division, mentioned there’s all the time a priority a couple of potential resurgence of teams, notably these working highly effective botnets.

“It’s similar to a avenue gang promoting medication on a avenue nook. If the police enhance presence and stop the gang from promoting medication on that exact nook, there’s nothing stopping them from going to a different a part of the town, set up operations, and resume the exercise,” mentioned Berglas, who’s now world head {of professional} providers at BlueVoyant.

“True dismantlement of a company requires figuring out, arresting, and prosecuting the personnel, in addition to taking down the technical infrastructure.”

Get extra insights with the

Recorded Future

Intelligence Cloud.

Be taught extra.

Jonathan Greig

Jonathan Greig is a Breaking Information Reporter at Recorded Future Information. Jonathan has labored throughout the globe as a journalist since 2014. Earlier than shifting again to New York Metropolis, he labored for information retailers in South Africa, Jordan and Cambodia. He beforehand coated cybersecurity at ZDNet and TechRepublic.