The Department of Justice disclosed a massive international operation to disrupt the Qakbot malware, which has infected more than 700,000 computers across the globe and led to hundreds of millions of dollars in damages.
The malware, also known as “Qbot” or “Pinkslipbot,” had been used by criminal threat actors to infect critical infrastructure systems, primarily using email messages with malicious attachments or hyperlinks.
Officials said the operation was the largest U.S. led disruption of a botnet infrastructure in history. It marked the latest effort by federal officials to disrupt multinational cybercrime by mustering an international coalition. The U.S. worked alongside France, Germany, the Netherlands, the U.K., Romania and Latvia for the takedown.
“The FBI led a worldwide joint, sequenced operation that crippled one of the longest-running criminal botnets,” FBI Director Christopher Wray, said in a statement Tuesday. “With our federal and international partners, we will continue to systematically target every part of cybercriminal organizations, their facilitators and their money – including by disrupting and dismantling their ability to use illicit infrastructure to attack us.”
The FBI was able to redirect botnet traffic toward servers it controlled and disrupt the operation. More than 200,000 computers in the U.S. alone were found to be infected. Authorities also seized $8.6 million in illicit cryptocurrency as part of the takedown.
Qakbot, which first emerged in 2007, is a banking trojan that is used to steal financial data and login credentials from web browsers, according to research from ZScaler. Qakbot is also used as a backdoor to inject payloads such as Cobalt Strike.
Officials at ZScaler, which was cited by law enforcement for “valuable technical assistance” during the case, declined to comment for the story.
Threat groups including Conti, Egregor, REvil, Black Basta and others have used Qakbot for initial infection into computer systems, according to the DOJ.
“Typically, Qakbot automated its delivery method in order to cast a wide net and infect as many potential victims as possible,” John Hammond, principal security researcher at Huntress, said via email.
Last November, Huntress reported a 400% increase in Qakbot activity. Researchers say Qakbot began to launch attacks by leveraging malicious OneNote attachments after Microsoft began to disable macros.
The FBI and Dutch National Police have set up website links where stolen credentials can be accessed to find out if they were used.