The operators related to the QakBot (aka QBot) malware have arrange 15 new command-and-control (C2) servers as of late June 2023.
The findings are a continuation of the malware’s infrastructure evaluation from Staff Cymru, and arrive a little bit over two months after Lumen Black Lotus Labs revealed that 25% of its C2 servers are solely lively for a single day.
“QakBot has a historical past of taking an prolonged break every summer time earlier than returning someday in September, with this 12 months’s spamming actions ceasing round 22 June 2023,” the cybersecurity agency said.
“However are the QakBot operators truly on trip after they aren’t spamming, or is that this ‘break’ a time for them to refine and replace their infrastructure and instruments?”
QakBot’s C2 community, like within the case of Emotet and IcedID, is characterised by a tiered structure through which C2 nodes talk with upstream Tier 2 (T2) C2 nodes hosted on VPS suppliers geolocated in Russia.
A majority of the bot C2 servers, which talk with the sufferer hosts, are situated in India and the U.S. Vacation spot IP addresses recognized from outbound T2 connections are based within the U.S., India, Mexico, and Venezuela.
Additionally current alongside the C2s and the Tier 2 C2s is a BackConnect (BC) server that turns the contaminated bots right into a proxy for different malicious functions.
The most recent analysis from Staff Cymru reveals that the variety of present C2s speaking with the T2 layer has considerably decreased, with solely eight remaining, partly pushed by Black Lotus Labs’ null-routing of the higher-tier infrastructure in Could 2023.
“We observe that on June 2, U.S. C2s all however disappeared, and visitors from Indian C2s considerably decreased,” the corporate mentioned, attributing the shortage of U.S. exercise to null-routing the T2 layer.
Exterior of the 15 C2 servers, six C2 servers lively since earlier than June and two C2 servers that got here alive in June have continued to exhibit exercise in July after spamming concluded.
An additional evaluation of NetFlow information reveals a sample whereby “situations of elevated outbound T2 connections typically happen following spikes in exercise for inbound bot C2 connections” and “spikes in outbound T2 connections often correspond with a decline in bot C2 exercise.”
“In elevating victims for use as C2 infrastructure with T2 communication, QakBot successfully punishes customers twice, first within the preliminary compromise, and second within the potential threat to popularity of a number being recognized publicly as malicious,” Staff Cymru mentioned.
By reducing off communications to the upstream servers, the corporate identified, victims are prevented from receiving C2 directions, thereby successfully defending present and future customers from compromise.