Scroll Top

QakBot Malware extends Command-and-Control network with 15 new servers


In a recent development, the operators affiliated with the QakBot malware, also known as QBot, have established 15 additional command-and-control (C2) servers since late June 2023. This expansion follows an ongoing investigation into the malware’s infrastructure by Team Cymru. This update comes approximately two months after Lumen Black Lotus Labs revealed that a quarter of its C2 servers remain active for just a single day.

QakBot, recognized for its recurring summer hiatus, ceased its spamming operations around June 22, 2023. However, this pause prompts speculation: Is this downtime a break for QakBot operators or a period for them to refine and enhance their infrastructure and tools?

Much like other infamous malware variants such as Emotet and IcedID, QakBot’s C2 network employs a tiered architecture. C2 nodes communicate with higher-tier Tier 2 (T2) C2 nodes hosted on VPS providers located in Russia.

The majority of bot C2 servers, responsible for communicating with compromised hosts, are concentrated in India and the United States. Outbound T2 connections lead to destination IP addresses primarily based in the U.S., India, Mexico, and Venezuela.

Accompanying the C2s and Tier 2 C2s is a BackConnect (BC) server, which transforms infected bots into proxies for malicious activities. Recent research conducted by Team Cymru indicates a notable reduction in the number of existing C2s communicating with the T2 layer, leaving only eight remaining. This decline was partially influenced by Black Lotus Labs’ null-routing of the higher-tier infrastructure in May 2023.

Observing NetFlow data, Team Cymru identified a pattern where “increased outbound T2 connections often coincide with spikes in activity for inbound bot C2 connections,” suggesting a dynamic correlation between these activities.

By coercing victims into becoming part of the C2 infrastructure with T2 communication, QakBot imposes a dual impact on its targets. The initial compromise is followed by the potential risk of public identification of the host as malicious. Employing communications cutoff to upstream servers acts as a defense mechanism, preventing compromised users from receiving C2 instructions. This safeguarding approach aims to protect both current and future users from further compromise.

Related Posts

Leave a comment

You must be logged in to post a comment.
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.