An analysis of the “evasive and persistent” malware known as QBot revealed that 25% of command and control (C2) servers were active for only one day.
Additionally, 50% of the servers have not remained active for more than a week, indicating the use of an adaptive and dynamic C2 infrastructure, Lumen Black Lotus Labs said in The said in a report shared with Hacker News.
Security researchers Chris Formosa and Steve Rudd said, “Rather than hiding in a network of hosted Virtual Private Servers (VPS), this botnet can hide its infrastructure in residential IP spaces or infected web servers. We have adopted a technology that hides the
QBot, also known as QakBot or Pinklipbot, is a persistent and powerful threat that started as a banking Trojan and has evolved into a downloader of other payloads such as ransomware. Its origins date back to 2007.
The malware reaches victims’ devices via spear-phishing emails that embed lure files directly or embed URLs leading to decoy documents.
The attackers behind QBot have been using tactics over the years, as they use a variety of methods, including email thread hijacking, HTML smuggling, and the use of unusual attachment types to slip past security barriers, to get into victims’ systems. It has been continuously improved.
Another notable aspect of this operation is the modus operandi itself. QBot’s malspam campaigns unfold in bursts of intense activity, followed by periods of near-indifference before the infection chain revamps and resurfaces.
A wave of phishing scams involving QBot utilized Microsoft OneNote as an intrusion vector in early 2023, while recent attacks utilize protected PDF files to install malware on victims’ machines. .
QakBot relies on compromised web servers and hosts residing in the C2’s residential IP space, resulting in a short-lived scenario with 70-90 new servers spawning every seven days on average.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join us for an insightful webinar!
join the session
“Qakbot maintains its resilience by repurposing victim machines into C2,” the researchers said, adding that it replenishes “the supply of C2 through bots that are then turned into C2.”
According to data released last month by Team Cymru, the majority of Qakbot bot C2 servers are suspected to be compromised hosts purchased from third-party brokers, most of which are located in India as of March 2023.
A survey of the attack infrastructure by Black Lotus Labs further revealed the existence of back-connected servers that could turn a “substantial number” of infected bots into proxies and promote them for other malicious purposes.
The researchers concluded that “Qakbot has been tenacious by adopting a hands-on approach to building and developing its architecture.”
“While we may not rely on the sheer numbers of Emotet, changing initial access methods and maintaining a resilient yet avoidable residential C2 architecture will help We have proven our technology.”
