An analysis of the “evasive and tenacious” malware known as QBot has revealed that 25% of its command-and-control (C2) servers are merely active for a single day.
What’s more, 50% of the servers don’t remain active for more than a week, indicating the use of an adaptable and dynamic C2 infrastructure, Lumen Black Lotus Labs said in a report shared with The Hacker News.
QBot, also called QakBot and Pinkslipbot, is a persistent and potent threat that started off as a banking trojan before evolving into a downloader for other payloads, including ransomware. Its origins go back as far as 2007.
The malware arrives on victims’ devices via spear-phishing emails, which either directly incorporate lure files or contain embedded URLs that lead to decoy documents.
The threat actors behind QBot have continuously improved their tactics over the years to infiltrate victim systems using different methods such as email thread hijacking, HTML smuggling, and employing uncommon attachment types
While phishing waves bearing QBot at the start of 2023 leveraged Microsoft OneNote as an intrusion vector, recent attacks have employed protected PDF files to install the malware on victim machines.
QakBot’s reliance on compromised web servers and hosts existing in the residential IP space for C2 translates to a brief lifespan and a high level of turnover, leading to a scenario where 70 to 90 new servers emerge over a seven-day period on average.
According to data released by Team Cymru last month, a majority of Qakbot bot C2 servers are suspected to be compromised hosts that were purchased from a third-party broker, with most of them located in India as of March 2023.
Black Lotus Labs’ examination of the attack infrastructure has further revealed the presence of a backconnect server that turns a “significant number” of the infected bots into a proxy that can then be advertised for other malicious purposes.
Source: https://thehackernews.com/