On August 29, 2023, the United States Justice Department announced their participation in an operation to take down Qbot (aka Qakbot, Pinkslipbot) infrastructure and remove infections from victim endpoints. The “Operation Duck Hunt” team, made up of multinational law enforcement and industry professionals, reported that it uninstalled the malware from more than 700,000 systems comprising the Qbot botnet and seized extorted funds held as cryptocurrency by the operators.
What should organizations know about the Qbot takedown?
Qbot is a banking trojan that’s been active since at least 2007—and one of the most prevalent threats we’ve tracked in recent years. It’s used to steal data and credentials from victims, often as a precursor to ransomware and extortion activity, by a number of threats including Conti, Sodinokibi, and more recently Black Basta. Distribution affiliates like TA570 and TA577 historically delivered Qbot as their primary payload in large-scale phishing campaigns over the last several years. After successful infection, Qbot administrators leveraged a botnet of infected systems worldwide to assist in ongoing operations, primarily for command and control (C2) communications. This botnet infrastructure was disrupted by the takedown announced on August 29.
Security researchers that track Qbot activity have independently confirmed an end to observed activity on August 29. The takedown initiative appears to have struck a significant blow to Qbot operators and administrators. Infrastructure and functional botnets take time and effort to rebuild. Previous infrastructure takedown attempts of other malware—for example, TrickBot and Emotet—reduced use of the malware but did not completely eliminate it. It remains to be seen if Qbot has been permanently disabled.
What’s next?
It’s important to note that while Qbot’s infrastructure was disabled, the overall ransomware ecosystem and malware delivery affiliates like TA570 and TA577 have not been disrupted. They will continue to operate and will pivot to different malware families as their primary payloads. IcedID is one likely candidate to see increased use in the near future. It has some similar capabilities to Qbot and has already been used by some of the same adversaries. Other malware families unaffected by the takedown and recently seen leveraged by threats known to have used Qbot include Pikabot, Brute Ratel, and NetSupport Manager.
Detection and response
The Qbot uninstaller’s SHA256 hash is 7cdee5a583eacf24b1f142413aabb4e556ccf4ef3a4764ad084c1526cc90e117, and a sample has been shared by a third party on VirusTotal. Security teams should consider keeping an eye out for this installer. Red Canary’s threat researchers studied the sample and confirmed that the uninstaller behavior is as described by Secureworks: It sends a Qbot shutdown command via a named pipe.
Since we anticipate continued activity from affiliate groups like TA570 and TA577, organizations should be prepared to detect those threats. We’ve had success detecting those groups with the following detection analytic.
Detection opportunity: Rundll32 executing without a DLL or expected filetype
The following detector should generate an alert whenever rundll32.exe executes without a corresponding DLL. You may find that this alert generates high volumes of false positives, but you can tune it by exclusions for other filetypes that rundll32.exe commonly executes in conjunction with in your environment.
process == rundll32.exe
&&
command_does_not_include (.dll)