Tam Cymru researchers have recently revealed noteworthy patterns and irregularities from their continuous monitoring of QakBot’s command and control infrastructure.
The researchers shared high-level insights into the findings, shedding light on emerging trends and unusual activities related to QakBot.
From victim-facing C2 servers, analyzing the outbound connections reveals Tier 2 infrastructure through communication patterns with common peers, often using a specific management port and maintaining prolonged ongoing interactions.
Typically, a specific management port is utilized for communication, and these interactions tend to persist for long durations in the majority of cases. The utilization of a dedicated management port ensures consistent and prolonged communication.
QakBot Malware C2 Infrastructure
By successfully identifying the Tier 2 (T2) management layer, researchers gain the ability to pinpoint the active victim-facing command and control (C2) servers through the analysis of connections established with this T2 layer.
Persistent communication over TCP/443 has been observed for several months between the command and control (C2) servers linked to Qakbot and two affiliate IDs, namely “Obama” and “BB,” with three upstream Russian Tier 2 (T2) servers.
This ongoing connection suggests a significant relationship between the identified campaigns and the specific T2 servers.
Russian IP addresses are commonly employed in advanced botnet networks because they provide a shield against non-Russian law enforcement agencies and researchers.
While this creates an oppositeness where recurring connections from diverse source IPs to Russian IP space appear suspicious or fascinating.
Experts have analyzed the C2 configuration data of QakBot campaigns in April 2023 and have verified that the Russian T2 servers upstream have not undergone any modifications.
Afterward, a thorough examination of all C2 servers was conducted to pinpoint the specific ones that established connections via TCP/443.
The upstream traffic from C2 servers showed a curious pattern as it was found in configurations associated with both campaigns:-
- Obama campaigns
- BB campaigns
This intriguing overlap suggests a potential connection between the two campaigns regarding their utilization of these servers.
During the specified timeframe, the Obama campaigns had five distinct IPs exclusively associated with them, while the BB campaign had only one unique IP.
Here below we have mentioned those IPs:-
Obama:
- 59.153.96.4
- 73.22.121.210
- 119.82.121.251
- 189.151.95.176
- 197.94.95.20
BB:
- 174.171.130.96
From 1 March to 8 May 2023, the traffic flows originating from the active C2 servers mentioned earlier were analyzed. These flows were then categorized based on the affiliate configurations in which they were found.
Overall, no clear separation is observed among the affiliates based on the upstream infrastructure used by their C2 servers for communication.
During two days, a particular C2 server associated with BB remained active. It primarily communicated with RU3, but it had one connection to RU2 on the first day.
Throughout the Obama campaigns, the C2 servers predominantly established communication with RU2 and RU3, showcasing their main points of contact. However, in early April, there were limited interactions with RU1.
RU2 and RU3 demonstrate similar patterns in their behavior, suggesting a level of consistency between them. On the other hand, RU1 deviates from this trend and follows a distinct pattern unique to itself.
IP Geolocation
In March, there was a shift in C2 activity with increased Indian and US IPs, a decrease in active C2 servers across different locations, and RU2 and RU3 receiving traffic from US and other North American C2 servers not seen with RU1.
RU1 primarily relied on hosts in India with limited diversity while occasionally connecting to C2 servers from the US and Czech Republic during February and March.
In February, CZ hosts communicated with all three T2s, while recently South African (ZA) hosts have started connecting with all three T2s.
Recommendations
- Make sure to use the listed IOCs to detect current QakBot infections and prevent future attacks.
- Identify Russian T2 servers by querying the IOC list and filtering for outbound connections to remote TCP/443 using Pure Signal Recon and Scout.
- Make sure to spin the inbound connections to Russian T2 servers to reveal evolving QakBot C2 infrastructure.
