FBI-led Operation Duck Hunt shoots down Qakbot

2023-08-29 20:03

In a Tuesday press conference announcing the take down, US Attorney Martin Estrada called the FBI-led Operation Duck Hunt "The most significant technological and financial operation ever led by the Department of Justice against a botnet." For one thing, the Feds produced some software to drop onto Qbot-infected machines to render the malware ineffective.

Beginning on August 21, the FBI obtained court orders allowing it to redirect Qakbot traffic to agent-controlled servers, and remotely disabled the malware on victims' machines.

The first court order [PDF], which was granted on August 21, allowed law enforcement to search US-based machines and seize or copy encryption keys, server lists, IP addresses, and routing information used by the Qakbot administrators, and also drop a file containing FBI-developed software on these computers to uninstall the malware.

"The file will provide the victim computers with new instructions that will untether them from the Qakbot botnet and prevent the Qakbot administrators from further communicating with the infected computers," according to court documents [PDF].

The scope was limited to information installed on the victim computers by the Qakbot operators, and did not remediate any other malware on the devices, nor grant the Feds access to other information on compromised computers, according to the US Dept of Justice.

In addition to seizing $8.6 million in ransomware payments, Operation Duck Hunt also seized 6.5 million credentials that Qakbot operators had also stolen from victims in the US, and "Our international partners are identifying many millions more," Estrada said.

News URL

https://go.theregister.com/feed/www.theregister.com/2023/08/29/duck_hunt_qakbot/

#FBI