New research on the Qakbot malware network shows that there is a high level of turnover in the bots in the network over time and that the lifespan of any given bot or C2 server is typically quite short, usually only a few days.
In malware terms, Qakbot is ancient. It has been active since 2007 and has evolved significantly in that time. It started as a normal banking trojan and has morphed into a malware delivery platform and ransomware network. As defenses have changed and improved in recent years, the Qakbot operators have responded, changing their tactics, delivery methods, and the type of malicious attachments they use in their spam emails. The biggest recent shift was moving away from macro-laden attachments to Microsoft OneNote files at the beginning of 2023. There have been major spikes in Qakbot activity in the last couple of months, which is not unusual for a network that is highly cyclical in nature.
One of the key characteristics of the Qakbot network is that although the spam runs and intrusions often target enterprise users, many of the C2 nodes are located on consumers machines.
“The threat actors elect to hide their C2s in compromised web servers and hosts existing in the residential IP space – essentially those addresses in the ISP-issued dynamic IP range- instead of using a hosted VPS. Persistence in these C2s can be difficult to maintain over time, and we noticed that the lifespan of C2s was brief; however, they continually replenished their numbers. Over a given seven-day period, we could see between 70-90 new C2s emerge during the botnet spamming cycle,” researchers at Lumen’s Black Lotus Labs said in a new report.
“As we studied the lifespan of individual bots and C2s, our telemetry revealed the botnet operators were able to maintain their numbers. After the first day of an infection, a bot transmits about half of all the data it will ever send to a C2. By day seven, the number gets close to 90%. This indicates that, once a victim is infected, the operators get what they need posthaste, loading additional malware at will. The actors can then use the bot for other nefarious purposes or sell it off to other actors.”
The operators of Qakbot have proven resilient and agile, changing their techniques as needed. One of their key moves is rotating their C2s quite often and sometimes converting infected machines into C2 nodes. This allows them to evade some enterprise detection methods and efforts by hosting providers to take down C2 servers. The Qakbot network uses a tiered C2 architecture, with the first level of C2s being the converted bot machines, and the second level being servers, often hosted at VPS providers in Russia. “In addition to the C2s and the Tier 2 C2s, Black Lotus Labs observes a separate server -- likely a backconnect server -- in the Qakbot architecture. We discovered that several hours after bot became infected, a significant number of them began reaching out to this backconnect server. This server only interacts with the bots and not the higher- tier architecture. While its complete functionality is currently unknown, it is often seen turning bots into proxies that can be used or sold for different purposes,” the researchers said. “We see other interesting behavior after bots interact with this server. It is not uncommon to see a bot connect to the backconnect server, then a day or two later reach out to a Tier 2 C2.”
Qakbot is among the more resilient and persistent malware networks in operation and its operators have shown the ability to modify their tactics as needed.