QakBot had infected nearly 700,000 systems around the world before being shut down, according to the FBI. (Pixabay)

Learn how QakBot malware is targeting users again, even after being shut down by the FBI for months.

Febin MathewDecember 19, 23 cybersecurity, malware

Cybersecurity has become a crucial concern in today’s digital age, prompting major corporations to invest significant amounts of money in developing effective solutions to combat and counter the spread of malware by malicious actors. Additionally, law enforcement agencies have established their own cybersecurity divisions to protect individuals from online attacks. Earlier this year, the FBI successfully halted the dangerous QakBot malware through a large-scale operation. However, this malware has resurfaced within a few months of being shut down by the FBI, and it is important to understand how it now targets its victims.

QakBot is back

According to a post from Microsoft on X (via BleepingComputer ), QakBot is back. This time it is aimed at victims of the restaurant industry. Threat actors masquerading as the IRS send the malware as a PDF file via phishing email. Once the email is received, the PDF file says “Document preview not available” so the victim has to download it. Once downloaded and opened, the digitally signed Windows Installer (.msi) contained in the PDF file will execute the embedded DLL and the malware will be installed on your computer.

What is QakBot?

QakBot first appeared in 2008 and was primarily a banking trojan and credential stealer. Its purpose was to steal people’s financial information. However, over time it evolved into a multipurpose botnet with backdoor capabilities. This malware targets people through phishing. According to the FBI, the victim receives a link or a PDF document by email, which, when clicked, delivers more ransomware to the computer.

QakBot has remote code execution (RCE) capabilities, which means threat actors can also perform secondary attacks, including delivery of malicious payloads and reconnaissance. According to law enforcement officials, this malware was linked to at least 40 attacks against large companies worldwide.

How was it closed?

After more than a decade of targeting victims, an FBI-led multinational operation to stop it was launched earlier this year. The operation, known as “Duck Hunt”, involved law enforcement agencies from the United States, France, Germany, the Netherlands, Romania, Latvia and the United Kingdom. According to the FBI, the agency gained legal access to the malware’s infrastructure. It found that QakBot infected nearly 200,000 computers in the United States and 700,000 systems worldwide.

FBI Director Christopher Wray said: “This botnet provided such cybercriminals with a command and control infrastructure consisting of hundreds of thousands of computers used to attack individuals and businesses around the world.”

The FBI then redirected the Qakbot traffic to servers controlled by the Bureau. It then caused those devices to download an uninstaller specifically designed to remove the QakBot malware. It also prevented the installation of other malware.