The people behind the QakBot malware have recently created 15 new command-and-control (C2) servers as of late June 2023.
This information comes as an update to Team Cymru’s analysis of the malware’s infrastructure. It’s been over two months since Lumen Black Lotus Labs revealed that 25% of its C2 servers are only active for a single day.
Heard about it after a long time?
Historically, QakBot tends to take a break during the summer months before resuming its activities in September. This year, the spamming activities stopped around June 22, 2023. The question is whether the operators are taking a vacation or using this “break” to improve their tools and infrastructure.
Like Emotet and IcedID, the C2 network of QakBot uses a hierarchical structure where C2 nodes connect with upstream Tier 2 (T2) C2 nodes hosted on VPS providers located in Russia.
Source: Volume of bot C2s connections with the T2 layer (RU1, RU2, RU3) over TCP/443
Most bot C2 servers, which communicate with the infected hosts, are based in India and the U.S. The destination IP addresses from outbound T2 connections are primarily in the U.S., India, Mexico, and Venezuela.
Is there any backup too?
Apart from the C2 and Tier 2 C2 servers, a BackConnect (BC) server turns the compromised bots into proxies for other malicious purposes.
Recent research from Team Cymru shows a significant decrease in existing C2s communicating with the T2 layer. Only eight remain, partly due to Black Lotus Labs’ null-routing of the higher-tier infrastructure in May 2023.
Observations indicate that U.S. C2s practically vanished on June 2, and Indian C2 activity also decreased. This decline in U.S. activity is attributed to null-routing the T2 layer.
How are the servers operated?
Six of the 15 new C2 servers have been active since before June, and two became operational in June. They continued to show activity in July after the spamming phase concluded.
Further analysis of NetFlow data reveals a pattern where increased outbound T2 connections often follow spikes in inbound bot C2 connections. Additionally, points in outbound T2 connections often coincide with decreased bot C2 activity.
Source: Percentages of reported and unreported C2s with typical upstream bot traffic and of those that are also T2 destination IPs
Prodigy of attack
By repurposing victims as C2 infrastructure with T2 communication, QakBot victimizes users twice.
- First, during the initial compromise
- Second, with the potential risk of their host being publicly labeled as malicious.
These traits have led to the theory that other factors, like location and the organizations responsible for internet services, might play a role in choosing which compromised hosts to target.
These factors could influence which hosts are bought from external sources or determine which Qakbot victims are promoted to serve as both C2s or T2 destination IPs, at least in certain situations.
Final say: The plan to fight back
Cutting off communications to the upstream servers prevents victims from receiving C2 instructions, effectively safeguarding current and future users from compromise. Qakbot’s infrastructure is influenced by geo-location, so assessing geolocation monitoring could help.
Collaborating with Autonomous System organizations helps in the mitigation by identifying potential threats. Last, update defense measures regularly and keep your CERTs ready to be responsive 24/7.
Marrium Akhtar
August 9, 2023
9 months ago
