In this digital era, cybersecurity has become a critical issue. The world’s biggest companies are spending millions of dollars to develop cybersecurity solutions that can not only stop but also counter malware spread by threat actors. Law enforcement agencies also have their own cybersecurity divisions aimed at keeping people safe from online attacks. The Federal Bureau of Investigation (FBI) also launched a massive operation earlier this year and put a stop to a dangerous malware known as QakBot. However, it is now back mere months after being shut down by the FBI. Know how it targets you this time around.
QakBot is back
According to a post by Microsoft on X (via BleepingComputer), QakBot is back. This time around, it is targeting victims in the hospitality sector. The threat actors, masquerading as the IRS, send the malware in a PDF file via email phishing. When the email is received, the PDF file states “Document preview is not available”, thus, requiring the victim to download it. As soon as it is downloaded and opened, a digitally signed Windows Installer (.msi) contained in the PDF executes an embedded DLL, and the malware is installed on your computer.
What is QakBot?
QakBot first emerged in 2008 and was primarily a banking trojan and credential stealer. It was aimed at stealing people’s financial information. However, with time, it evolved into a multi-purpose botnet with backdoor capabilities. This malware targets people via phishing. The victim receives a link or a PDF document via email which when clicked upon, delivers additional ransomware to the computer, as per the FBI.
QakBot has remote code execution (RCE) capabilities, meaning threat actors can also execute secondary attacks including delivering malicious payloads and reconnaissance. According to law enforcement agencies, this malware was linked to at least 40 attacks on big companies worldwide.
How was it shut down?
After more than a decade of targeting victims, a multinational operation to stop it spearheaded by the FBI took place earlier this year. Known as “Duck Hunt”, this operation involved the involvement of law enforcement agencies from the US, France, Germany, the Netherlands, Romania, Latvia, and the United Kingdom. As per the FBI, the agency gained lawful access to the malware’s infrastructure. It found that QakBot infected nearly 200,000 computers in the US, and 700,000 systems worldwide.
FBI Director Christopher Wray said, “This botnet provided cybercriminals like these with a command-and-control infrastructure consisting of hundreds of thousands of computers used to carry out attacks against individuals and businesses all around the globe”.
FBI then redirected Qakbot traffic to Bureau-controlled servers. It then resulted in the affected devices downloading an uninstaller file specially designed for removing the QakBot malware. It also prevented the installation of any other malware.