Home Security Evasive QBot Malware Leverages Brief-lived Residential IPs for Dynamic Assaults

Evasive QBot Malware Leverages Brief-lived Residential IPs for Dynamic Assaults

by crpt os


Jun 01, 2023Ravie LakshmananCyber Threat / Network Security

An analysis of the “evasive and tenacious” malware known as QBot has revealed that 25% of its command-and-control (C2) servers are merely active for a single day.

What’s more, 50% of the servers don’t remain active for more than a week, indicating the use of an adaptable and dynamic C2 infrastructure, Lumen Black Lotus Labs said in a report shared with The Hacker News.

“This botnet has adapted techniques to conceal its infrastructure in residential IP space and infected web servers, as opposed to hiding in a network of hosted virtual private servers (VPSs),” security researchers Chris Formosa and Steve Rudd said.

QBot, also called QakBot and Pinkslipbot, is a persistent and potent threat that started off as a banking trojan before evolving into a downloader for other payloads, including ransomware. Its origins go back as far as 2007.

The malware arrives on victims’ devices via spear-phishing emails, which either directly incorporate lure files or contain embedded URLs that lead to decoy documents.

The threat actors behind QBot have continuously improved their tactics over the years to infiltrate victim systems using different methods such as email thread hijacking, HTML smuggling, and employing uncommon attachment types to slip past security barriers.

Another notable aspect of the operation is the modus operandi itself: QBot’s malspam campaigns play out in the form of bursts of intense activity followed by periods of little to no attacks, only to resurface with a revamped infection chain.

While phishing waves bearing QBot at the start of 2023 leveraged Microsoft OneNote as an intrusion vector, recent attacks have employed protected PDF files to install the malware on victim machines.

QakBot’s reliance on compromised web servers and hosts existing in the residential IP space for C2 translates to a brief lifespan, leading to a scenario where 70 to 90 new servers emerge over a seven-day period on average.

UPCOMING WEBINAR

🔐 Mastering API Security: Understanding Your True Attack Surface

Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!

Join the Session

“Qakbot retains resiliency by repurposing victim machines into C2s,” the researchers said, adding it replenishes “the supply of C2s through bots that subsequently turn to C2s.”

According to data released by Team Cymru last month, a majority of Qakbot bot C2 servers are suspected to be compromised hosts that were purchased from a third-party broker, with most of them located in India as of March 2023.

Black Lotus Labs’ examination of the attack infrastructure has further revealed the presence of a backconnect server that turns a “significant number” of the infected bots into a proxy that can then be advertised for other malicious purposes.

“Qakbot has persevered by adopting a field-expedient approach to build and develop its architecture,” the researchers concluded.

“While it may not rely on sheer numbers like Emotet, it demonstrates technical craft by varying initial access methods and maintaining a resilient yet evasive residential C2 architecture.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex