QBot malware, also known as QakBot and Pinkslipbot, has been leveraging an adaptable command-and-control infrastructure, with half of its servers only active for a week and a quarter only active for a day, according to The Hacker News.
Residential IPs and compromised web servers, instead of virtual private servers, have been used by QBot to hide its C2 infrastructure, a report by Lumen Black Lotus Labs researchers Steve Rudd and Chris Formosa showed. Moreover, several infected bots are being transformed by QBot into proxies with the use of a backconnect server.
Aside from upgrading its infrastructure, QBot has also enhanced its tactics to include HTML smuggling, and email threat takeovers.
"Qakbot has persevered by adopting a field-expedient approach to build and develop its architecture. While it may not rely on sheer numbers like Emotet, it demonstrates technical craft by varying initial access methods and maintaining a resilient yet evasive residential C2 architecture," said researchers.
Organizations in the government, real estate, telecommunications, retail, and other sectors across the U.S., Africa, and the Middle East have been subjected to intrusions under the new CL-STA-0002 threat cluster.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news