Wednesday, April 17, 2024

Researchers Uncovered Notorious QakBot Malware C2 Infrastructure

Tam Cymru researchers have recently revealed noteworthy patterns and irregularities from their continuous monitoring of QakBot’s command and control infrastructure. 

The researchers shared high-level insights into the findings, shedding light on emerging trends and unusual activities related to QakBot.

From victim-facing C2 servers, analyzing the outbound connections reveals Tier 2 infrastructure through communication patterns with common peers, often using a specific management port and maintaining prolonged ongoing interactions.

Typically, a specific management port is utilized for communication, and these interactions tend to persist for long durations in the majority of cases. The utilization of a dedicated management port ensures consistent and prolonged communication.

QakBot Malware C2 Infrastructure

By successfully identifying the Tier 2 (T2) management layer, researchers gain the ability to pinpoint the active victim-facing command and control (C2) servers through the analysis of connections established with this T2 layer.

Persistent communication over TCP/443 has been observed for several months between the command and control (C2) servers linked to Qakbot and two affiliate IDs, namely “Obama” and “BB,” with three upstream Russian Tier 2 (T2) servers. 

This ongoing connection suggests a significant relationship between the identified campaigns and the specific T2 servers.

Russian IP addresses are commonly employed in advanced botnet networks because they provide a shield against non-Russian law enforcement agencies and researchers.

While this creates an oppositeness where recurring connections from diverse source IPs to Russian IP space appear suspicious or fascinating.

Experts have analyzed the C2 configuration data of QakBot campaigns in April 2023 and have verified that the Russian T2 servers upstream have not undergone any modifications.

Afterward, a thorough examination of all C2 servers was conducted to pinpoint the specific ones that established connections via TCP/443.

The upstream traffic from C2 servers showed a curious pattern as it was found in configurations associated with both campaigns:-

  • Obama campaigns
  • BB campaigns

This intriguing overlap suggests a potential connection between the two campaigns regarding their utilization of these servers.

During the specified timeframe, the Obama campaigns had five distinct IPs exclusively associated with them, while the BB campaign had only one unique IP.

Here below we have mentioned those IPs:-





From 1 March to 8 May 2023, the traffic flows originating from the active C2 servers mentioned earlier were analyzed. These flows were then categorized based on the affiliate configurations in which they were found.

Overall, no clear separation is observed among the affiliates based on the upstream infrastructure used by their C2 servers for communication.

During two days, a particular C2 server associated with BB remained active. It primarily communicated with RU3, but it had one connection to RU2 on the first day.

Throughout the Obama campaigns, the C2 servers predominantly established communication with RU2 and RU3, showcasing their main points of contact. However, in early April, there were limited interactions with RU1.

RU2 and RU3 demonstrate similar patterns in their behavior, suggesting a level of consistency between them. On the other hand, RU1 deviates from this trend and follows a distinct pattern unique to itself.

IP Geolocation

In March, there was a shift in C2 activity with increased Indian and US IPs, a decrease in active C2 servers across different locations, and RU2 and RU3 receiving traffic from US and other North American C2 servers not seen with RU1.

RU1 primarily relied on hosts in India with limited diversity while occasionally connecting to C2 servers from the US and Czech Republic during February and March.

In February, CZ hosts communicated with all three T2s, while recently South African (ZA) hosts have started connecting with all three T2s.


Here below we have mentioned all the recommendations offered by the cybersecurity experts:-

  • Make sure to use the listed IOCs to detect current QakBot infections and prevent future attacks.
  • Identify Russian T2 servers by querying the IOC list and filtering for outbound connections to remote TCP/443 using Pure Signal Recon and Scout.
  • Make sure to spin the inbound connections to Russian T2 servers to reveal evolving QakBot C2 infrastructure.

Struggling to Apply The Security Patch in Your System? – 
Try All-in-One Patch Manager Plus


Latest articles

Trustifi’s Email Security Awareness Training – Empowering MSPs to Train & Protect Clients

In today's digital landscape, email security has become a critical concern for businesses of...

Personal Data Exposed in Massive Global Hack: Understanding the Implications & Guarding Privacy- Axios Security Group

In a digital age where information is the new currency, the recent global hack...

Ex-Security Engineer Jailed For Hacking Decentralized Cryptocurrency Exchanges

Ahmed exploited a vulnerability in a decentralized cryptocurrency exchange's smart contract by injecting fabricated...

Omni Hotels & Resorts Hack: Attackers have Stolen Customer Information

Omni Hotels & Resorts has revealed that it was the target of a recent...

Connect:fun Attacking Organizations Running Fortinet’s FortiClient EMS

A new exploit campaign has emerged, targeting organizations that utilize Fortinet’s FortiClient EMS.Dubbed...

TA558 Hackers Compromised 320+ Organizations’ FTP & SMTP Servers

TA558, a financially motivated threat actor identified in 2018, is targeting several countries but...

Blackjack Hackers Destroyed 87,000 Sensors Using Lethal ICS Malware

A group of cybercriminals known as "Blackjack" has launched a devastating attack on industrial...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Top 3 SME Attack Vectors

Securing the Top 3 SME Attack Vectors

Cybercriminals are laying siege to small-to-medium enterprises (SMEs) across sectors. 73% of SMEs know they were breached in 2023. The real rate could be closer to 100%.

  • Stolen credentials
  • Phishing
  • Exploitation of vulnerabilities

Related Articles