Evasive QBot Malware Leverages Short-lived Residential IPs for Dynamic Attacks
Analysis of the “evasive and tenacious” malware known as QBot has revealed that 25% of its command-and-control (C2) servers were only active for one day.
What’s more, 50% of the servers were down for more than a week, demonstrating adaptable and dynamic usage infrastructure C2said Lumen Black Lotus Labs in a report shared with The Hacker News.
“This botnet has adapted techniques to hide its infrastructure in residential IP spaces and infected web servers, as opposed to hiding in hosted virtual private server (VPS) networks,” security researchers Chris Formosa and Steve Rudd said.
QBot, also called QakBot and Pinkslipbot, is a powerful and persistent threat that started as a banking trojan before developing into other payload downloaders, including ransomware. Its origins go back to 2007.
The malware arrives at victims’ devices via spear-phishing emails, which either directly include the lure file or contain an embedded URL that leads to the decoy document.
The threat actors behind QBot have keep improving their tactics over the years to infiltrate victims’ systems using various methods such as e-mail thread hijacking, HTML smuggling, and employing an unusual kind of attachment sneak past the security barrier.
Another important aspect of the operation was the modus operandi itself: QBot’s malspam campaign played out in the form of bursts of intense activity followed by periods of minor or no attacks, only to reappear with renewed infection chains.
Meanwhile the phishing wave that brought QBot in early 2023 increased Microsoft OneNote as an intrusion vector, attacks have recently been used protected PDF files to install malware on the victim’s machine.
QakBot’s reliance on compromised web servers and existing hosts in the residential IP space for C2 translates to a short lifespan, leading to a scenario where an average of 70 to 90 new servers emerge over a seven day period.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards tight security. Join our insightful webinar!
“Qakbot maintains resilience by repurposing victim machines to C2,” the researchers said, adding it replenished “the C2 supply through the bot which then switches to C2.”
Based on data released by Team Cymru last month, the majority of Qakbot bot C2’s servers are allegedly compromised hosts purchased from third-party brokers, with most of them located in India as of March 2023.
Black Lotus Labs’ further inspection of the attack infrastructure revealed the presence of a reverse connection server which turns a “significant number” of infected bots into proxies which can then be advertised for other malicious purposes.
“Qakbot has persisted by adopting a field approach to building and developing its architecture,” the researchers concluded.
“While it may not rely solely on numbers like Emotet, it demonstrates technical expertise by varying early access methods and maintaining C2’s tough but evasive housing architecture.”
