The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory (CSA) to disseminate QakBot infrastructure indicators of compromise (IOCs) identified through FBI investigations as of August 2023. On August 25, FBI and international partners executed a coordinated operation to disrupt QakBot infrastructure worldwide. Disruption operations targeting QakBot infrastructure resulted in the botnet takeover, which severed the connection between victim computers and QakBot command and control (C2) servers. The FBI is working closely with industry partners to share information about the malware to maximize detection, remediation, and prevention measures for network defenders.
CISA and FBI encourage organizations to implement the recommendations in the Mitigations section to reduce the likelihood of QakBot-related activity and promote identification of QakBot-facilitated ransomware and malware infections. Note: The disruption of QakBot infrastructure does not mitigate other previously installed malware or ransomware on victim computers. If potential compromise is detected, administrators should apply the incident response recommendations included in this CSA and report key findings to a local FBI Field Office or CISA at cisa.gov/report.
Download the PDF version of this report:
AA23-242A Identification and Disruption of QakBot Infrastructure (PDF, 570.50 KB )
For a downloadable copy of IOCs, see:
AA23-242A STIX XML (XML, 51.62 KB )
AA23-242A STIX JSON (JSON, 43.12 KB )
QakBotāalso known as Qbot, Quackbot, Pinkslipbot, and TA570āis responsible for thousands of malware infections globally. QakBot has been the precursor to a significant amount of computer intrusions, to include ransomware and the compromise of user accounts within the Financial Sector. In existence since at least 2008, QakBot feeds into the global cybercriminal supply chain and has deep-rooted connections to the criminal ecosystem. QakBot was originally used as a banking trojan to steal banking credentials for account compromise; in most cases, it was delivered via phishing campaigns containing malicious attachments or links to download the malware, which would reside in memory once on the victim network.
Since its initial inception as a banking trojan, QakBot has evolved into a multi-purpose botnet and malware variant that provides threat actors with a wide range of capabilities, to include performing reconnaissance, engaging in lateral movement, gathering and exfiltrating data, and delivering other malicious payloads, including ransomware, on affected devices. QakBot has maintained persistence in the digital environment because of its modular nature. Access to QakBot-affected (victim) devices via compromised credentials are often sold to further the goals of the threat actor who delivered QakBot.
QakBot and affiliated variants have targeted the United States and other global infrastructures, including the Financial Services, Emergency Services, and Commercial Facilities Sectors, and the Election Infrastructure Subsector. FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood of QakBot-related infections and promote identification of QakBot-induced ransomware and malware infections. Disruption of the QakBot botnet does not mitigate other previously installed malware or ransomware on victim computers. If a potential compromise is detected, administrators should apply the incident response recommendations included in this CSA and report key findings to CISA and FBI.
QakBotās modular structure allows for various malicious features, including process and web injection, victim network enumeration and credential stealing, and the delivery of follow-on payloads such as Cobalt Strike[1], Brute Ratel, and other malware. QakBot infections are particularly known to precede the deployment of human-operated ransomware, including Conti[2], ProLock[3], Egregor[4], REvil[5], MegaCortex[6], Black Basta[7], Royal[8], and PwndLocker.
Historically, QakBotās C2 infrastructure relied heavily on using hosting providers for its own infrastructure and malicious activity. These providers lease servers to malicious threat actors, ignore abuse complaints, and do not cooperate with law enforcement. At any given time, thousands of victim computers running Microsoft Windows were infected with QakBotāthe botnet was controlled through three tiers of C2 servers.
Figure 1: QakBotās Tiered C2 Servers
The first tier of C2 servers includes a subset of thousands of bots selected by QakBot administrators, which are promoted to Tier 1 āsupernodesā by downloading an additional software module. These supernodes communicate with the victim computers to relay commands and communications between the upstream C2 servers and the infected computers. As of mid-June 2023, 853 supernodes have been identified in 63 countries, which were active that same month. Supernodes have been observed frequently changing, which assists QakBot in evading detection by network defenders. Each bot has been observed communicating with a set of Tier 1 supernodes to relay communications to the Tier 2 C2 servers, serving as proxies to conceal the main C2 server. The Tier 3 server controls all of the bots.
FBI has observed the following threat actor tactics, techniques, and procedures (TTPs) in association with OakBot infections:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<random_string>
C:\Users\<user>\AppData\Roaming\Microsoft\<random_string>\
HKEY_CURRENT_USER\Software\Microsoft\<random_string>
In addition, the below IP addresses were assessed to have obtained access to victim computers. Organizations are encouraged to review any connections with these IP addresses, which could potentially indicate a QakBot and/or follow-on malware infection.
Disclaimer: The below IP addresses are assessed to be inactive as of August 29, 2023. Several of these observed IP addresses were first observed as early as 2020, although most date from 2022 or 2023, and have been historically linked to QakBot. FBI and CISA recommend these IP addresses be investigated or vetted by organizations prior to taking action, such as blocking.
Table 1: IPs Affiliated with QakBot Infections
IP****Address
|
First Seen
ā|ā
85.14.243[.]111
|
April 2020
51.38.62[.]181
|
April 2021
51.38.62[.]182
|
December 2021
185.4.67[.]6
|
April 2022
62.141.42[.]36
|
April 2022
87.117.247[.]41
|
May 2022
89.163.212[.]111
|
May 2022
193.29.187[.]57
|
May 2022
193.201.9[.]93
|
June 2022
94.198.50[.]147
|
August 2022
94.198.50[.]210
|
August 2022
188.127.243[.]130
|
September 2022
188.127.243[.]133
|
September 2022
94.198.51[.]202
|
October 2022
188.127.242[.]119
|
November 2022
188.127.242[.]178
|
November 2022
87.117.247[.]41
|
December 2022
190.2.143[.]38
|
December 2022
51.161.202[.]232
|
January 2023
51.195.49[.]228
|
January 2023
188.127.243[.]148
|
January 2023
23.236.181[.]102
|
Unknown
45.84.224[.]23
|
Unknown
46.151.30[.]109
|
Unknown
94.103.85[.]86
|
Unknown
94.198.53[.]17
|
Unknown
95.211.95[.]14
|
Unknown
95.211.172[.]6
|
Unknown
95.211.172[.]7
|
Unknown
95.211.172[.]86
|
Unknown
95.211.172[.]108
|
Unknown
95.211.172[.]109
|
Unknown
95.211.198[.]177
|
Unknown
95.211.250[.]97
|
Unknown
95.211.250[.]98
|
Unknown
95.211.250[.]117
|
Unknown
185.81.114[.]188
|
Unknown
188.127.243[.]145
|
Unknown
188.127.243[.]147
|
Unknown
188.127.243[.]193
|
Unknown
188.241.58[.]140
|
Unknown
193.29.187[.]41
|
Unknown
Organizations are also encouraged to review the Qbot/QakBot Malware presentation from the U.S. Department of Health & Human Services Cybersecurity Program for additional information.
For detailed associated software descriptions, tactics used, and groups that have been observed using this software, see MITRE ATT&CKās page on QakBot.[9]
Note: For situational awareness, the following SHA-256 hash is associated with FBIās QakBot uninstaller: 7cdee5a583eacf24b1f142413aabb4e556ccf4ef3a4764ad084c1526cc90e117
CISA and FBI recommend network defenders apply the following mitigations to reduce the likelihood of QakBot-related activity and promote identification of QakBot-induced ransomware and malware infections. Disruption of the QakBot botnet does not mitigate other already-installed malware or ransomware on victim computers. Note: These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats and TTPs. Visit CISAās Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.
Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password āpatternsā cyber criminals can easily decipher.
* Require administrator credentials to install software.
In addition to applying mitigations, CISA and FBI recommend exercising, testing, and validating your organizationās security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA and FBI also recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
CISA and FBI recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques.
FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with QakBot-affiliated actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. FBI and CISA do not encourage paying ransom, as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, FBI and CISA urge you to promptly report ransomware incidents to a local FBI Field Office or CISA at cisa.gov/report.
The information in this report is being provided āas isā for informational purposes only. CISA and FBI do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA and FBI.
August 30, 2023: Initial version.
attack.mitre.org/versions/v13/matrices/enterprise/
attack.mitre.org/versions/v13/software/S0154/
attack.mitre.org/versions/v13/software/S0154/
attack.mitre.org/versions/v13/software/S0496/
attack.mitre.org/versions/v13/software/S0496/
attack.mitre.org/versions/v13/software/S0554/
attack.mitre.org/versions/v13/software/S0554/
attack.mitre.org/versions/v13/software/S0575/
attack.mitre.org/versions/v13/software/S0575/
attack.mitre.org/versions/v13/software/S0576/
attack.mitre.org/versions/v13/software/S0576/
attack.mitre.org/versions/v13/software/S0650/
attack.mitre.org/versions/v13/software/S0650/
attack.mitre.org/versions/v13/software/S0650/
attack.mitre.org/versions/v13/software/S0654/
attack.mitre.org/versions/v13/software/S0654/
attack.mitre.org/versions/v13/software/S1070/
attack.mitre.org/versions/v13/software/S1070/
attack.mitre.org/versions/v13/software/S1073/
attack.mitre.org/versions/v13/software/S1073/
github.com/cisagov/cset/releases/tag/v10.3.0.0
pages.nist.gov/800-63-3/sp800-63b.html
pages.nist.gov/800-63-3/sp800-63b.html
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=Identification%20and%20Disruption%20of%20QakBot%20Infrastructure+https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-242a
www.cisa.gov/cpg
www.cisa.gov/cpg
www.cisa.gov/cyber-hygiene-services
www.cisa.gov/known-exploited-vulnerabilities-catalog
www.cisa.gov/known-exploited-vulnerabilities-catalog
www.cisa.gov/MFA
www.cisa.gov/MFA
www.cisa.gov/news-events/alerts/2021/06/30/cisas-cset-tool-sets-sights-ransomware-threat#:~:text=CISA%20has%20released%20a%20new%20module%20in%20its,to%20evaluate%20their%20cybersecurity%20practices%20on%20their%20networks
www.cisa.gov/news-events/alerts/2023/05/23/cisa-and-partners-update-stopransomware-guide-developed-through-joint-ransomware-task-force-jrtf
www.cisa.gov/news-events/alerts/2023/05/23/cisa-and-partners-update-stopransomware-guide-developed-through-joint-ransomware-task-force-jrtf
www.cisa.gov/report
www.cisa.gov/report
www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf
www.cisa.gov/stopransomware/qbotqakbot-malware-report
www.cisa.gov/stopransomware/qbotqakbot-malware-report
www.cisa.gov/topics/cyber-threats-and-advisories/cyber-hygiene-services
www.cisa.gov/zero-trust-maturity-model
www.cisa.gov/zero-trust-maturity-model
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-242a&title=Identification%20and%20Disruption%20of%20QakBot%20Infrastructure
www.fbi.gov/contact-us/field-offices
www.fbi.gov/contact-us/field-offices
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-242a
www.oig.dhs.gov/
www.stopransomware.gov/
www.stopransomware.gov/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-242a
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Identification%20and%20Disruption%20of%20QakBot%20Infrastructure&body=www.cisa.gov/news-events/cybersecurity-advisories/aa23-242a