The operators affiliated with the QakBot (also known as QBot) malware have recently established 15 new command-and-control (C2) Servers, marking a noteworthy development in the evolving landscape of cyber threats as of late June 2023.

These revelations stem from the ongoing scrutiny of QakBot’s infrastructure carried out by Team Cymru, demonstrating a continuity of vigilance against this malware strain.

This update comes in the wake of Lumen Black Lotus Labs’ disclosure, which underscored that 25% of the QakBot C2 servers remain active for a mere 24 hours, which shows the dynamic and transient nature of its operations.

A distinct pattern has emerged in QakBot’s historical behavior, characterized by a seasonal hiatus during the summer months, followed by a resurgence in activity around September. As the spamming endeavors of this year halted around June 22, 2023, questions arise regarding the purpose of this apparent ‘break.’

Similar to the architecture seen in Emotet and IcedID, QakBot’s C2 network exhibits a layered structure. C2 nodes communicate with upper-tier Tier 2 (T2) C2 nodes, hosted on Virtual Private Server (VPS) providers strategically located in Russia. This intricate design serves as a means to obfuscate the malicious network’s activities.

Predominantly, the bot C2 servers, instrumental in communication with victim hosts, are situated in the United States and India. Analyzing the destination IP addresses reveals a concentration in the U.S., India, Mexico, and Venezuela. This geolocation diversity adds to the resilience of the network.

Concurrently operating with the C2 and Tier 2 C2 nodes, a BackConnect (BC) server acts as a pivot, converting the compromised bots into proxies for further nefarious operations.

Noteworthy findings from Team Cymru’s research point to a decline in the number of active C2s communicating with the T2 layer. This decrease is, in part, attributed to Black Lotus Labs’ strategic null-routing maneuver in May 2023. A significant drop in U.S. C2 activity on June 2, accompanied by reduced Indian C2 traffic, lends credence to this observation.

Furthermore, Team Cymru’s in-depth analysis of NetFlow data exposes a correlation between spikes in outbound T2 connections and the waning of bot C2 activity. This intricate dance of traffic patterns highlights the malware’s fluidity in adapting to the defensive measures.

By forcibly severing the communications between the malware’s tiers, Team Cymru has effectively disrupted the flow of C2 instructions. This deliberate action not only safeguards current victims but also preempts the compromise of future ones.

QakBot’s innovative utilization of victim infrastructure for T2 communication amplifies the detriment inflicted on the compromised entities, not only during the initial compromise but also by exposing them to potential reputational harm.

In essence, the emergence of these 15 new C2 servers signifies an ongoing arms race between cyber defenders and malicious actors. The adaptability and sophistication demonstrated by QakBot’s operators underscore the need for continued vigilance and collaboration within the cybersecurity community.