A new report from Tam Cymru researchers has uncovered significant patterns and irregularities in QakBot’s command-and-control infrastructure, identifying key trends and suspicious activity associated with the malware.
By analyzing connections made to victim-facing C2 servers, researchers determined that QakBot uses a specific management port for communication that tends to persist for long durations. This ensures consistent and prolonged communication, which can go undetected for months, allowing the malware to operate unchecked.
Researchers were able to identify Tier 2 (T2) infrastructure through the communication patterns with common peers and establish the active victim-facing C2 servers via the T2 layer. They found that persistent communication using TCP/443 had been ongoing for several months between the C2 servers linked to QakBot and two affiliate IDs, “Obama” and “BB,” and three upstream Russian T2 servers.
Russian IP addresses are often used in advanced botnet networks since they provide a shield against non-Russian law enforcement agencies and researchers, creating an oppositeness where recurring connections from diverse source IPs to Russian IP space appear suspicious or fascinating. However, the ongoing connection between QakBot C2 servers and Russian T2 servers suggests a significant relationship between the identified campaigns and the specific T2 servers.
Researchers have analyzed the C2 configuration data of QakBot campaigns in April 2023 and have verified that the Russian T2 servers upstream have not undergone any modifications. Further examination of all C2 servers pinpointed the specific ones that established connections via TCP/443. The upstream traffic from C2 servers showed a curious pattern as it was found in configurations associated with both Obama and BB campaigns, indicating a potential connection between the two campaigns regarding their use of these servers.
During the specified timeframe, the Obama campaigns had five unique IPs associated with them, while the BB campaign had only one unique IP. There was no clear separation observed among the affiliates based on the upstream infrastructure used by their C2 servers for communication.
In March, there was a shift in C2 activity with increased Indian and US IPs, a decrease in active C2 servers across different locations, and RU2 and RU3 receiving traffic from US and other North American C2 servers not seen with RU1. RU1 primarily relied on hosts in India with limited diversity while occasionally connecting to C2 servers from the US and Czech Republic during February and March.
Experts recommend using listed IOCs to detect current QakBot infections and prevent future attacks, identifying Russian T2 servers by querying the IOC list and filtering for outbound connections to remote TCP/443, using Pure Signal Recon and Scout. Finally, they suggest spinning the inbound connections to Russian T2 servers to reveal evolving QakBot C2 infrastructure.
The research findings should highlight the importance of continuous cyber monitoring to detect suspicious activity, which can help prevent harmful data breaches. It is also essential to ensure that systems are up-to-date with the latest security patches to prevent malware infections.
Overall, the Tam Cymru report shows how cybercriminals are continually updating their tactics to evade detection, highlighting the importance of having a robust cybersecurity infrastructure that can quickly respond to such threats.