June 1, 2023Ravi LakshmananCyber ​​Threat / Network Security

An analysis of the “evasive and persistent” malware known as QBot revealed that 25% of command and control (C2) servers were active for only one day.

Additionally, 50% of the servers have not remained active for more than a week, indicating that adaptive and dynamic servers are being used. C2 infrastructuresaid Lumen Black Lotus Labs in a report shared with The Hacker News.

Security researchers Chris Formosa and Steve Rudd said, “Rather than hiding in a network of hosted Virtual Private Servers (VPS), this botnet can hide its infrastructure in residential IP spaces or infected web servers. We have adopted a technology that hides the

QBot, also known as QakBot or Pinklipbot, is a persistent and powerful threat that started as a banking Trojan and has evolved into a downloader of other payloads such as ransomware. Its origins date back to 2007.

The malware reaches victims’ devices via spear-phishing emails that embed lure files directly or embed URLs leading to decoy documents.

The threat actor behind QBot is Continuous improvement Email Thread Hijacking, HTML Smuggling, and Unusual attachment types Get past security barriers.

Another notable aspect of this operation is the modus operandi itself. QBot’s malspam campaigns unfold in bursts of focused activity, followed by periods of near-indifference before the infection chain is revamped and resurfaces.

A phishing wave involving QBot was used in early 2023, Microsoft OneNote as an intrusion vector in recent attacks. Protected PDF file Install malware on the victim’s machine.

QakBot relies on compromised web servers and hosts residing in the C2’s residential IP space, resulting in a short-lived scenario with 70-90 new servers spawning every seven days on average.

upcoming webinars

🔐 Mastering API Security: Understanding Your True Attack Surface

Uncover untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join us for an insightful webinar!

join the session

“Qakbot maintains its resilience by repurposing victim machines into C2,” the researchers said, adding that it replenishes “the supply of C2 through bots that are then turned into C2.”

according to data Team Cymru released last month that most of the Qakbot bot C2 servers are suspected to be compromised hosts purchased from third-party brokers, most of them in India as of March 2023.

A study of the attack infrastructure by Black Lotus Labs revealed further attacks such as: back connect server This could turn a “significant number” of infected bots into proxies and promote them for other malicious purposes.

“Qakbot has been persistent in adopting a hands-on approach to building and developing its architecture,” conclude the researchers.

“While we may not rely on the sheer numbers of Emotet, changing initial access methods and maintaining a resilient yet avoidable residential C2 architecture will help We have proven our technology.”

Did you enjoy this article? Follow us twitter and LinkedIn To read more of the exclusive content we post.



Register now for our membership to gain access to our elite training program and fast forward your career today!


Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

Security Blog

Blue Training Academy

Blue Training Academy was developed in 2018 as a educational and training facility for continuing education and certification courses. Blue Training Academy is an educational institution that allows for all sectors of the public and Criminal Justice field to gain ongoing training and education.

Copyright ©️ All rights reserved. | Blue Training Academy Blog