Fifteen new command-and-control servers have been established by QBot malware, also known as QakBot,
by late June in a bid to strengthen its attack infrastructure, The Hacker News
QBot, which leverages a tiered C2 network infrastructure facilitating outbound communications between C2 nodes and Tier 2 C2 nodes, had a significant decline in actively communicating C2s in early June, with U.S.-based C2s nearly disappearing, following null-routing efforts by Black Lotus Labs in May, according to a Team Cymru report.
However, continued activity in July was identified for six active QBot C2 servers established before June and two others that began activity in June. Moreover, spikes in inbound bot C2 connections were found to correlate with elevated outbound T2 connections, while bot C2 activity was found to often decrease as outbound T2 connections spiked.
"In elevating victims to be used as C2 infrastructure with T2 communication, QakBot effectively punishes users twice, first in the initial compromise, and second in the potential risk to reputation of a host being identified publicly as malicious," said Team Cymru.