An analysis of the “evasive and tenacious” malware known as QBot has revealed that 25% of its command-and-control (C2) servers are merely active for a single day.
What’s more, 50% of the servers don’t remain active for more than a week, indicating the use of an adaptable and dynamic C2 infrastructure, Lumen Black Lotus Labs said in a report shared with The Hacker News.
“This botnet has adapted techniques to conceal its infrastructure in residential IP space and infected web servers, as opposed to hiding in a network of hosted virtual private servers (VPSs),” security researchers Chris Formosa and Steve Rudd said.
QBot, also called QakBot and Pinkslipbot, is a persistent and potent threat that started off as a banking trojan before evolving into a downloader for other payloads, including ransomware. Its origins go back as far as 2007.
The malware arrives on victims’ devices via spear-phishing emails, which either directly incorporate lure files or contain embedded URLs that lead to decoy documents.
The threat actors behind QBot have continuously improved their tactics over the years to infiltrate victim systems using different methods such as email thread hijacking, HTML smuggling, and employing uncommon attachment types to slip past security barriers.
Another notable aspect of the operation is the modus operandi itself: QBot’s malspam campaigns play out in the form of bursts of intense activity followed by periods of little to no attacks, only to resurface with a revamped infection chain.
While phishing waves bearing QBot at the start of 2023 leveraged Microsoft OneNote as an intrusion vector, recent attacks have employed protected PDF files to install the malware on victim machines.
QakBot’s reliance on compromised web servers and hosts existing in the residential IP space for C2 translates to a brief lifespan, leading to a scenario where 70 to 90 new servers emerge over a seven-day period on average.
“Qakbot retains resiliency by repurposing victim machines into C2s,” the researchers said, adding it replenishes “the supply of C2s through bots that subsequently turn to C2s.”
According to data released by Team Cymru last month, a majority of Qakbot bot C2 servers are suspected to be compromised hosts that were purchased from a third-party broker, with most of them located in India as of March 2023.
Black Lotus Labs’ examination of the attack infrastructure has further revealed the presence of a backconnect server that turns a “significant number” of the infected bots into a proxy that can then be advertised for other malicious purposes.
“Qakbot has persevered by adopting a field-expedient approach to build and develop its architecture,” the researchers concluded.
“While it may not rely on sheer numbers like Emotet, it demonstrates technical craft by varying initial access methods and maintaining a resilient yet evasive residential C2 architecture.”