The U.S. Department of Justice (DOJ) and the FBI’s joint takedown of Qakbot in late August was a multinational operation that culminated in the disruption of one of the world’s longest-running malware families and botnets. When law enforcement obtained court orders to remotely remove the malware from infected devices, they found this numbered a staggering 700,000 machines globally, including 200,000 computers in the U.S., at the time of the takedown.
It was no surprise, however, when news reports began surfacing in October that Qakbot (aka Qbot) was still very much alive, albeit in a diminished form. The threat actors behind the infamous malware simultaneously classified as a banking Trojan, a worm, and a remote access Trojan (RAT) have now been linked to an ongoing phishing campaign that delivers Cyclops ransomware (aka Ransom Knight), and the formidable remote control and surveillance tool Remcos RAT.
Since no arrests were made at the time of the takedown, this new and worrying activity suggests that "the law enforcement operation may not have impacted Qakbot operators' spam delivery infrastructure, but rather only their command-and-control (C2) servers,” as researcher Guilherme Venere explained in a recent report. Venere asserts “with moderate confidence” that the threat actors behind Qakbot are still active, and that the malware “will continue to pose a significant threat moving forward”.
In this second blog in our two-part series on Qakbot, we’ll go over mitigations to protect you in the event the Qakbot threat actors rebuild their infrastructure, highlight some smart security recommendations from the FBI and the Cybersecurity & Infrastructure Security Agency (CISA), and learn how to find out if you’ve ever been infected by this notorious malware.
Read part 1 of this blog here.
The Aftermath of the Takedown
So Qakbot is down. The forces of good have prevailed, right? In an ideal world, yes, but the world we live in is still far from perfect. Though Qakbot may be offline right now, there could still be hidden “nasties” left lurking on unsuspecting victims’ machines, left over from prior infections.
Public reports published by the DOJ regarding the takedown noted that federal officials obtained access to Qakbot’s botnet (a network of compromised computers), redirected botnet traffic through new servers controlled by law enforcement, and sent out instructions to computers previously infected by Qakbot to download an uninstall file that blitzed the malware.
There was a caveat, however. “The Qakbot Uninstall file did not remediate other malware that was already installed on infected computers,” the government report explained. “Instead, it was designed to prevent additional Qakbot malware from being installed on the infected computer by untethering the victim computer from the Qakbot botnet.”
In layman’s terms, the takedown basically focused on preventing Qakbot operators from reacquiring infected systems that made up the last Qakbot botnet.
In the lucrative world of ransomware, it is not completely outside the realms of possibility that Qakbot operators (including its alleged originators Gold Lagoon) might attempt to create a new botnet from scratch, but this would take significant effort on their part. Whether they’ll choose that path forward remains to be seen. This means that even though Qakbot is down for now, it’s worth learning to identify indicators of compromise (IoCs) and the various techniques used by Qakbot as a precaution against a future Qakbot resurrection.
Both CISA and the FBI strongly advise industry sectors at risk from this malware to deploy the following mitigations to keep their networks secure, and to protect them from becoming compromised, either by a future Qakbot resurgence or by any other malware that functions in a similar fashion.
Some of these mitigation tips include:
Require multi-factor authentication for remote access to internal networks. In a CISA advisory, it was recommended that critical infrastructure industries — including healthcare organizations, which are so often targeted — require multifactor authentication (MFA) to be used by all employees remotely accessing their networks. The advisory notes that the use of MFA alone blocks nearly all automated cyberattacks, and that most compromised accounts uncovered to date failed to use this one simple but effective technology.
Regularly conduct employee security training, including spear-phishing drills. Security hygiene (at its most basic level) focuses on teaching employees “not to click on things” unless they have taken some action to verify the source of what they are about to click on. Simple precautions an employee might take include hovering their mouse over the suspect link (but not clicking it), and looking at the lower-left address bar of their browser to check the destination web URL. They should also get into the habit of typing the website name they want to visit directly into their browser, rather than clicking on an emailed shortcut or link.
Update corporate software as often as is practically possible. Your list should include users’ operating systems, apps, and firmware. On their Cybersecurity Program website page, the U.S. Department for Health and Human Services (HHS) recommends using a centralized patch management system to guard against slow or sloppy patching practices, and developing a risk-assessment strategy to figure out which network assets and zones should be included in the system.
Eliminate weak passwords. Organizations should work to stay in compliance with NIST (National Institute for Standards and Technology) when putting in place employee password policies, and ideally pivot away from reliance on passwords, instead moving towards putting multi-factor authentication in place wherever possible.
Carefully filter network traffic to prohibit ingoing and outgoing communications with known malicious IP addresses by implementing block/allow lists.
Prepare and maintain a working recovery plan to ensure that, should the worst happen and a Qakbot-related breach occur, every security-enabled member of your IT teams will know exactly what actions to take.
Implement the “3-2-1” backup rule: Maintain at least three copies of your organization’s most critical data. Keep two copies stored in separate locations, and always store one copy at an off-site location.
How to Find Out if You’ve Ever Been Infected by Qakbot
Looking to brighter horizons, there’s good news for past Qakbot victims. The DOJ claims to have recovered over 6.5 million passwords and other credentials that had been stolen by Qakbot’s operators. They have since shared these credentials with two legitimate websites that allow users to check and see if their login information has been exposed.
The websites to check are:
Have I Been Pwned
The site best-known to everyday, security-conscious users is Have I Been Pwned, which lets you check for free to see if your email address has ever been stolen or exposed in a data breach. Founder Troy Hunt created HIBP as a free resource for anyone to quickly assess if they may have been put at risk due to an online account being compromised.
The site contains a database built from 700+ pwned (hacked) websites, and at the time of writing, contains the login and/or passwords from 12,724,063,603 stolen accounts. This includes everything from the MySpace years, through to Facebook, and every major breach in between. If you enter either your email address or password on the secure site, the site will return a near-instant response alerting you if it finds it in its database, which now includes the Qakbot dataset.
Check Your Hack
The second resource you can turn to is a site called Check Your Hack, which was created by the Dutch National Police using two large seized datasets, one of which was part of the Qakbot seizure. According to the site, you simply enter your email address, and if it is found to be included in one of the datasets, you’ll get an automatic email from the police taskforce within five minutes. The email will let you know what you need to do to remove any malware. If your address is not found, you won’t receive an email.
World’s Worst Passwords List
And finally, since Qakbot had an “optional attachment” to brute-force email logins using a list of the most commonly-used passwords, check here to review the top “Worst Password” sites for 2023 and see if yours is on the list. (Password123, anyone?)
Taking down an entrenched malware operation is a huge win for the security community as a whole. Back at the start of the year, the DOJ successfully took down Hive ransomware. In May 2023, it also quietly removed malware from machines around the globe infected with “Snake” malware, an established malware family that had been publicly tied to Russian intelligence agencies.
However, ransomware continues to be an ongoing global threat. Even when reportedly down-and-out, Qakbot’s agility may mean that a resurgence is still in the cards in the coming months or years. Its operators span multiple powerful threat groups, which in the past have proven to be extremely resourceful and capable of adapting very quickly to change.
Additional information and resources for mitigation can be found on the following website, which will be updated as new information and resources become available: https://www.justice.gov/usao-cdca/divisions/national-security-division/qakbot-resources
How BlackBerry Can Help
BlackBerry customers using the self-defending, AI-based prevention, detection, and response solution CylanceENDPOINT™ can be reassured that in the event of a Qakbot resurrection, the BlackBerry solution will prevent the malware from executing.
The BlackBerry Product Security Team also recommends customers enable Script Control in CylancePROTECT (a component of CylanceENDPOINT) to block execution of malicious scripts.
Phishing-related activities such as malicious email attachments can be difficult for legacy antivirus platforms to detect. BlackBerry recommends customers activate proprietary CylanceOPTICS® rules that can provide protection from threats which have invalid file signatures, a tactic often used by threat actors attempting to deploy Qakbot.
These recommended CylanceOPTICS rules include:
- Office Launched Unsigned Process: A Microsoft® Office application has spawned a new child process that is not signed.
- Internet Browser Launched Unsigned Process: An Internet browser has spawned a new child process that is not signed.
BlackBerry also recommends users strictly follow vendor upgrade or patching guidelines (when available) to reduce the risk on any potentially affected systems.