The operators related with the QakBot (aka QBot) malware have established up 15 new command-and-handle (C2) servers as of late June 2023.
The conclusions are a continuation of the malware’s infrastructure assessment from Group Cymru, and arrive a tiny more than two months after Lumen Black Lotus Labs exposed that 25% of its C2 servers are only active for a one working day.
“QakBot has a heritage of taking an prolonged break each individual summer season just before returning someday in September, with this year’s spamming actions ceasing all-around 22 June 2023,” the cybersecurity agency explained.
“But are the QakBot operators in fact on holiday when they aren’t spamming, or is this ‘break’ a time for them to refine and update their infrastructure and applications?”
QakBot’s C2 network, like in the case of Emotet and IcedID, is characterized by a tiered architecture in which C2 nodes communicate with upstream Tier 2 (T2) C2 nodes hosted on VPS vendors geolocated in Russia.
A the vast majority of the bot C2 servers, which converse with the sufferer hosts, are found in India and the U.S. Spot IP addresses determined from outbound T2 connections are largely centered in the U.S., India, Mexico, and Venezuela.
Also present alongside the C2s and the Tier 2 C2s is a BackConnect (BC) server that turns the infected bots into a proxy for other destructive uses.
The most up-to-date study from Team Cymru reveals that the range of current C2s communicating with the T2 layer has considerably lowered, with only eight remaining, in element pushed by Black Lotus Labs’ null-routing of the bigger-tier infrastructure in Might 2023.
“We observe that on June 2, U.S. C2s all but disappeared, and visitors from Indian C2s substantially decreased,” the company mentioned, attributing the lack of U.S. exercise to null-routing the T2 layer.
Exterior of the 15 C2 servers, six C2 servers lively since just before June and two C2 servers that arrived alive in June have continued to show activity in July soon after spamming concluded.
A additional investigation of NetFlow knowledge exhibits a sample wherein “scenarios of elevated outbound T2 connections frequently come about pursuing spikes in exercise for inbound bot C2 connections” and “spikes in outbound T2 connections regularly correspond with a decrease in bot C2 exercise.”
“In elevating victims to be used as C2 infrastructure with T2 interaction, QakBot efficiently punishes end users two times, initial in the first compromise, and next in the potential risk to name of a host becoming recognized publicly as destructive,” Crew Cymru mentioned.
By slicing off communications to the upstream servers, the organization pointed out, victims are prevented from obtaining C2 recommendations, therefore efficiently guarding existing and future buyers from compromise.
Discovered this short article attention-grabbing? Follow us on Twitter and LinkedIn to browse a lot more exclusive information we put up.
Some components of this report are sourced from: