QakBot Malware Operators Amplify Threat with Surge of 15 New C2 Servers
In a recent development, the group behind the QakBot (also known as QBot) malware has established a fresh network of 15 command-and-control (C2) servers by the end of June 2023. This observation builds on the ongoing investigation of the malware's infrastructure conducted by Team Cymru. Remarkably, this expansion follows closely after a revelation by Lumen Black Lotus Labs, which disclosed that a quarter of its C2 servers remain operational for just a single day, shedding light on the dynamic and elusive nature of QakBot's operations.
QakBot traditionally exhibits a pattern of extended downtime during the summer months, typically resurfacing in September. In the current year, its spamming operations halted approximately on June 22, 2023, according to the cybersecurity firm. However, whether the QakBot operators use this downtime as a vacation or utilize it for refining and updating their infrastructure and tools remains to be seen.
Table of Contents
Deploying Exquisite Infrastructure
Similar to the architectures observed in Emotet and IcedID malware, the Command-and-Control (C2) network of QakBot exhibits a multi-tiered structure. Within this arrangement, the C2 nodes communicate with higher-level Tier 2 (T2) C2 nodes hosted on virtual private server (VPS) providers in Russia. Most bot C2 servers, which communicate with the compromised victim hosts, are primarily in the United States and India. Analyzing the outbound connections from T2 nodes reveals that the destination IP addresses are in the United States, India, Mexico, and Venezuela. Alongside the C2 and T2 nodes, a BackConnect (BC) server transforms the compromised bots into proxies, enabling them to serve various malicious activities. This intricate network architecture underscores QakBot's efforts to orchestrate its operations across multiple geographic locations, enhancing its ability to effectively manage and control infected systems.
Tier 2 C2 nodes, in the context of cyber threats and malware, refer to the intermediate level of command-and-control infrastructure within a multi-tiered architecture. Sophisticated malware strains like QakBot, Emotet, and IcedID often employ this architecture. Tier 2 C2 nodes are intermediaries between the main command-and-control servers (Tier 1) and the compromised devices or bots (endpoints).
The purpose of Tier 2 nodes is to enhance the resilience and stealth of the malware's communication network. They help distribute commands and control signals from the central C2 servers to a network of Tier 2 nodes, which then relay these instructions to the individual compromised devices. This hierarchical setup makes it harder for security analysts to trace the malicious activities back to the main C2 servers, thus increasing the malware's chances of evading detection and takedowns.
Tier 2 C2 nodes often communicate with the compromised devices using various techniques, such as domain generation algorithms or fast-flux networks, which further complicates efforts to block or turn off the malware's communication channels. Threat actors use Tier 2 C2 nodes to maintain control over their botnets and facilitate the execution of malicious operations while minimizing the risks associated with direct communication between the central server and the infected devices.
C2 Servers Exploited
The most recent findings unveiled by Team Cymru highlight a noteworthy decline in the count of existing C2s that engage with the T2 layer. Now with only eight remaining, this decrease is partly attributed to Black Lotus Labs' actions of null-routing the higher-tier infrastructure in May 2023. The company observed a substantial reduction in traffic from Indian C2s and the near disappearance of U.S. C2s around June 2, which they associate with null-routing the T2 layer. In addition to the 15 C2 servers, six pre-existing C2 servers active before June and two newly activated C2 servers in June displayed continued activity throughout July, even after the cessation of spamming activities.
Further scrutiny of NetFlow data displays a recurrent pattern where heightened outbound T2 connections often follow spikes in inbound bot C2 connections. Additionally, surges in outbound T2 connections frequently coincide with dips in bot C2 activity. Team Cymru highlighted that by employing victims as C2 infrastructure with T2 communication, QakBot imposes a dual burden on users, first through the initial compromise and then through the potential harm to their reputation when their host is publicly recognized as malicious. The company emphasized that by severing communications with upstream servers, victims cannot receive C2 instructions, effectively safeguarding current and future users against compromise.
About QakBot
QakBot, also known as QBot, has been a notorious banking trojan and information-stealing malware since around 2007. It primarily targets Windows operating systems and is designed to steal sensitive financial information from infected computers, such as banking credentials, credit card details, and personal data. QakBot usually comes through malicious email attachments, links, or infected websites. Once installed on a system, it can connect with command-and-control (C2) servers, enabling hackers to control the infected machine and exfiltrate stolen data remotely. QakBot has demonstrated a high level of sophistication over the years, constantly evolving its techniques to evade detection and security measures. It can also spread through network shares and exploit vulnerabilities to propagate within a network. Overall, QakBot is a significant threat to individuals and organizations due to its ability to steal sensitive information and potentially lead to financial losses.
QakBot Malware Operators Amplify Threat with Surge of 15 New C2 Servers Screenshots
