[]()

An analysis of the “evasive and tenacious” malware known as QBot has revealed that 25% of its command-and-control (C2) servers are merely active for a single day.

What’s more, 50% of the servers don’t remain active for more than a week, indicating the use of an adaptable and dynamic [C2 infrastructure](), Lumen Black Lotus Labs said in a report shared with The Hacker News.

“This botnet has adapted techniques to conceal its infrastructure in residential IP space and infected web servers, as opposed to hiding in a network of hosted virtual private servers (VPSs),” security researchers Chris Formosa and Steve Rudd said.

[QBot](), also called QakBot and Pinkslipbot, is a persistent and potent threat that started off as a banking trojan before evolving into a downloader for other payloads, including ransomware. Its origins go back as far as 2007.

The malware arrives on victims’ devices via spear-phishing emails, which either directly incorporate lure files or contain embedded URLs that lead to decoy documents.

The threat actors behind QBot have [continuously improved]() their tactics over the years to infiltrate victim systems using different methods such as email thread hijacking, [HTML smuggling](), and employing [uncommon attachment types]() to slip past security barriers.

Another notable aspect of the operation is the modus operandi itself: QBot’s malspam campaigns play out in the form of bursts of intense activity followed by periods of little to no attacks, only to resurface with a revamped infection chain.

While phishing waves bearing QBot at the start of 2023 [leveraged]() [Microsoft OneNote]() as an intrusion vector, recent attacks have employed [protected PDF files]() to install the malware on victim machines.

QakBot’s reliance on compromised web servers and hosts existing in the residential IP space for C2 translates to a brief lifespan, leading to a scenario where 70 to 90 new servers emerge over a seven-day period on average.

UPCOMING WEBINAR

🔐 Mastering API Security: Understanding Your True Attack Surface

Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!

[Join the Session]()

“Qakbot retains resiliency by repurposing victim machines into C2s,” the researchers said, adding it replenishes “the supply of C2s through bots that subsequently turn to C2s.”

According to [data]() released by Team Cymru last month, a majority of Qakbot bot C2 servers are suspected to be compromised hosts that were purchased from a third-party broker, with most of them located in India as of March 2023.

Black Lotus Labs’ examination of the attack infrastructure has further revealed the presence of a [backconnect server]() that turns a “significant number” of the infected bots into a proxy that can then be advertised for other malicious purposes.

“Qakbot has persevered by adopting a field-expedient approach to build and develop its architecture,” the researchers concluded.

“While it may not rely on sheer numbers like [Emotet](), it demonstrates technical craft by varying initial access methods and maintaining a resilient yet evasive residential C2 architecture.”

Found this article interesting? Follow us on [Twitter __]() and [LinkedIn]() to read more exclusive content we post.Read More