Romanian prosecutors, police at US demand dismantled part of Qakbot malware infrastructure

The Directorate for the Investigation of Organized Crime and Terrorism prosecutors and the police have dismantled, at the request of the US authorities, part of the infrastructure of the Qakbot malware computer program, informs DIICOT in a statement sent to AGERPRES on Wednesday.

On Saturday, the DIICOT prosecutors, together with the Romanian Police, executed a request for international legal assistance, issued by the US authorities, which aimed to dismantle part of the infrastructure of the Qakbot malware computer program (Qbot).

Active since 2007, this prolific malware (also known as QBot or Pinkslipbot) has evolved, using various techniques to infect users and compromise computer systems, the source said, adding that the Qakbot malware was infiltrating victims’ computers through spam e-mails, which contained malicious attachments or hyperlinks, and once installed on the targeted computer, the malware aimed to infect it with computer programmes such as Cobalt Strike or other types of ransomware.

In addition, investigators say, the infected computer became part of a botnet (a network of compromised computers) simultaneously controlled by cybercriminals, usually without the victims’ knowledge.

Prosecutors state that Qakbot’s main objective was to steal financial data and login credentials from web browsers.

Well-known ransomware families such as Conti, ProLock, Egregor, REvil, MegaCortex and Black Basta allegedly used Qakbot to carry out a large number of ransomware attacks on critical infrastructures or on several commercial companies, the investigators say.

The administrators of the bot network offered these ransomware groups access to the infected networks, for a fee, this method being also known as maas (malware as a service), prosecutors add.

“The investigations carried out showed that, between October 2021 and April 2023, the administrators would have received almost 54 million euros from the ransoms that were paid by the victims. The analysis of the confiscated infrastructure showed that the malware would have infected more than 700,000 of computers around the world, and the authorities have detected servers infected with Qakbot in almost 30 countries in Europe, South and North America, Asia and Africa, enabling the malware’s activity on a global scale,” DIICOT says.