Threat Research

Visualizing Qakbot Infrastructure Part II: Uncharted Territory

CTI

Team Cymru’s NetFlow analysis of QakBot from 1 May–20 July 2023 shows a marked reduction in victim-facing C2→T2 communications before spamming stopped around 22 June, while upstream T2 servers continued low-volume, outbound connections to both reported and previously-unidentified C2 hosts. The researchers link those outbound connections—observed over a set of 32 destination ports—to QakBot’s proxy-module workflow and note that compromised hosts used as C2s/T2 destinations are often in residential IP space and ASes like Comcast. #QakBot #BlackLotusLabs

Keypoints

  • C2→T2 communication volume declined in late May and dropped sharply ahead of spamming ceasing ~22 June, though some upstream traffic persisted at lower volumes.
  • Fifteen new bot C2 IPs were observed after spamming ended; only eight pre-existing C2s continued upstream T2 communication past 22 June.
  • Upstream T2 servers (RU1/RU2/RU3) made outbound connections to many destination IPs over a consistent set of 32 ports, matching ports implicated in QakBot’s proxy-module deployment.
  • Port 443 dominated victim→C2 upstream traffic (≈48% overall, ≈80% among C2s that spoke to T2), but outbound T2 connections used the 32 ports at roughly equal frequency.
  • Most T2 destination IPs (~71%) were not previously reported as malicious, though a subset exhibited typical upstream C2 traffic; many identified hosts are in residential IP space and associated with ASes such as Comcast.
  • Timing and volume patterns suggest a mix of automation (port selection) and operator-driven or event-driven activity for the outbound T2 connections rather than straightforward periodic check-ins.

MITRE Techniques

  • [T1071.001] Web Protocols – C2 communications over standard web protocols; (‘Port 443 dominated victim→C2 upstream traffic (≈48% overall, ≈80% among C2s that spoke to T2)’).
  • [T1090] Proxy – Proxy usage via a ‘proxy-module workflow’ and ‘proxy-module deployment’ to route outbound C2/T2 traffic; (‘proxy-module workflow’ and ‘proxy-module deployment’).
  • [T1566] Phishing – Spamming campaigns used to deliver QakBot; spamming ceased around 22 June; (‘spamming ceased ~22 June’).

Indicators of Compromise

  • [IP addresses] RU upstream T2 servers – 188.127.231.177, 62.204.41.187 (primary T2 hosts identified in the analysis)
  • [IP addresses] Example new bot C2s established after spamming ceased – 73.32.187.91, 81.20.248.72, and other new C2 IPs observed
  • [Ports] Destination ports used by outbound T2 connections (proxy-module related) – ports 20, 21, and 30+ other ports from the observed set of 32 ports (e.g., 22, 53, 80, 443, 3389, 50000, 61200)
  • [Affiliate ID] Observed affiliate identifier in last spam wave – obama271 (linked to last-day spamming spikes)

Read more: https://www.team-cymru.com/post/visualizing-qakbot-infrastructure-part-ii-uncharted-territory

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint