TrickBot and Emotet Botnets Both Returned After Disruption by Law Enforcement
Has the cry of the Qakbot come to an end?
The pernicious, multifunction malware fell quiet last week thanks to Operation “Duck Hunt,” an international crackdown spearheaded by the FBI. Cue the malicious code being plucked out of 700,000 infected systems, which authorities forcibly disconnected from the Qakbot botnet. The FBI also seized 52 servers and $8.6 million in stolen cryptocurrency, which it pledged to restore to victims (see: Operation ‘Duck Hunt’ Dismantles Qakbot).
Score one for the good guys. Except with Qakbot’s operators and developers appearing to remain at large, they could well regroup and relaunch the service.
“While there is no doubt that the Qakbot takedown is a major win in the fight against cybercrime, it may only provide short-term relief in the fight against a notoriously resilient cybercriminal ecosystem,” said Ian Gray, vice president of cyber threat intelligence operations at Flashpoint, in a blog post.
Many cybercrime service providers operate from Russia, which doesn’t extradite its citizens. That makes them tough to reach, unless the criminal hackers vacation abroad. So long as these criminals remain at large, there’s little to stop them from tweaking the code underpinning their malware and botnet command-and-control infrastructure to make it tougher to disrupt and then debuting the next version of Qakbot.
For now, let’s celebrate that Qakbot appears to at least be on a forced sabbatical. That’s welcome, because Qakbot infections were never good news. “On consumer and corporate PCs, Qakbot acted as a modular information and password stealer,” reported The Spamhaus Project, which is assisting with the post-takedown cleanup effort.
“It also contained a spam module that allowed Qakbot to spread laterally using email as a vector, using malicious links or attachments,” Spamhaus added. “It was sending tens of thousands of malware-laden emails every day through breached accounts, posing as legitimate email from known contacts designed to invoke user interaction.”
In addition, Qakbot would often lurk “in the environment just to maintain persistence, so another threat actor can then obtain the access and consequently deploy ransomware, mine cryptocurrency, disrupt or deface software or any other post-exploitation effects,” John Hammond, a senior security researcher at Huntress, said in a blog post. Ransomware groups that used such functionality included Black Basta, Conti, Egregor, MegaCortex, ProLock and REvil.
“The victims ranged from financial institutions on the East Coast to a critical infrastructure government contractor in the Midwest to a medical device manufacturer on the West Coast,” said FBI Director Christopher Wray last week when announcing the takedown.
Rebuilding Takes Time
If Qakbot does return, how long might the current respite last? “Infrastructure and functional botnets take time and effort to rebuild,” Stef Rand, a cyber threat intelligence analyst at Red Canary, said in a blog post.
“Previous infrastructure takedown attempts of other malware – for example, TrickBot and Emotet – reduced use of the malware but did not completely eliminate it,” she added. “It remains to be seen if Qbot has been permanently disabled.”
TrickBot was disrupted in 2020, only to reemerge in 2021 in the form of BazarLoader and with close ties to the Conti ransomware group (see: Cybercrime Moves: Conti Ransomware Absorbs TrickBot Malware). By late 2021, Conti appeared to have fully acquired the operation.
After law enforcement disrupted Emotet in January 2021, it reappeared a year later, apparently having forged close ties with TrickBot’s operators. While TrickBot and BazarLoader have since been retired owing to poor results, Emotet “remains a significant threat,” said Yelisey Bohuslavskiy, chief research officer at Red Sense, in a LinkedIn post.
Bohuslavskiy said it’s not clear if all Qakbot operations were disrupted last week. Since last year, two different operations – the ransomware group Clop and the former Team 3 of Conti, which became Black Basta, BlackByte and Karakurt – each appear to have run Qakbot operations, he said.
Team 3 has been quiet since June, Bohuslavskiy said. If it has disbanded, then its Qakbot days are likely over. If it’s just taking a summer break and resurfaces, “we could witness a potent threat from the QBot-Black Basta chain,” which may maintain infrastructure that escaped Operation Duck Hunt unscathed, he said.
Even if Qakbot’s goose is cooked, the crime group was but one player in a thriving cybercrime-as-a-service ecosystem. Ransomware groups in particular still need service providers who can easily install their crypto-locking malware on endpoints, and thus will likely soon embrace other options.
Expect many major players to switch to IcedID, which has “some similar capabilities to Qbot and has already been used by some of the same adversaries,” including groups with the codenames TA570 and TA577, said Red Canary’s Rand.
These tools are among the obvious next targets for potential disruption by law enforcement. “Sustained pressure on botnet financial flows, developer communities and other aspects of the cybercrime supply chain is needed to deter future attacks,” said Flashpoint’s Gray.
Getting to the point where cybercrime infrastructure has been analyzed and can be effectively unraveled takes time. “The takedown process is no cakewalk – speaking from experience with our recent involvement in the Genesis Market takedown and REvil arrests,” said John Fokker, head of threat intelligence at the Trellix Advanced Research Center. “Combating cybercrime takes a respectable amount of dedication and collaboration to pull apart the intricacies of ransomware infrastructures.”
Fokker said such disruptions remain high on the defensive agenda. “Law enforcement and the industry alike are seeking every opportunity to disrupt threat actors, and additional takedowns are imminent,” he said.