An analysis of the “evasive and persistent” malware known as QBot revealed that 25% of command and control (C2) servers were active for only one day.
Additionally, 50% of the servers have not remained active for more than a week, indicating that adaptive and dynamic servers are being used. C2 infrastructuresaid Lumen Black Lotus Labs in a report shared with The Hacker News.
Security researchers Chris Formosa and Steve Rudd said, “Rather than hiding in a network of hosted Virtual Private Servers (VPS), this botnet can hide its infrastructure in residential IP spaces or infected web servers. We have adopted a technology that hides the
QBot, also known as QakBot or Pinklipbot, is a persistent and powerful threat that started as a banking Trojan and has evolved into a downloader of other payloads such as ransomware. Its origins date back to 2007.
The malware reaches victims’ devices via spear-phishing emails that embed lure files directly or embed URLs leading to decoy documents.
The threat actor behind QBot is Continuous improvement Email Thread Hijacking, HTML Smuggling, and Unusual attachment types Get past security barriers.
Another notable aspect of this operation is the modus operandi itself. QBot’s malspam campaigns unfold in bursts of focused activity, followed by periods of near-indifference before the infection chain is revamped and resurfaces.
A phishing wave involving QBot was used in early 2023, Microsoft OneNote as an intrusion vector in recent attacks. Protected PDF file Install malware on the victim’s machine.
QakBot relies on compromised web servers and hosts residing in the C2’s residential IP space, resulting in a short-lived scenario with 70-90 new servers spawning every seven days on average.
🔐 Mastering API Security: Understanding Your True Attack Surface
Uncover untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join us for an insightful webinar!
“Qakbot maintains its resilience by repurposing victim machines into C2,” the researchers said, adding that it replenishes “the supply of C2 through bots that are then turned into C2.”
according to data Team Cymru released last month that most of the Qakbot bot C2 servers are suspected to be compromised hosts purchased from third-party brokers, most of them in India as of March 2023.
A study of the attack infrastructure by Black Lotus Labs revealed further attacks such as: back connect server This could turn a “significant number” of infected bots into proxies and promote them for other malicious purposes.
“Qakbot has been persistent in adopting a hands-on approach to building and developing its architecture,” conclude the researchers.
“While we may not rely on the sheer numbers of Emotet, changing initial access methods and maintaining a resilient yet avoidable residential C2 architecture will help We have proven our technology.”