QBot malware, also known as QakBot and Pinkslipbot, has been leveraging an adaptable command-and-control infrastructure, with half of its servers only active for a week and a quarter only active for a day, according to The Hacker News.
Residential IPs and compromised web servers, instead of virtual private servers, have been used by QBot to hide its C2 infrastructure, a report by Lumen Black Lotus Labs researchers Steve Rudd and Chris Formosa showed. Moreover, several infected bots are being transformed by QBot into proxies with the use of a backconnect server.
Aside from upgrading its infrastructure, QBot has also enhanced its tactics to include HTML smuggling, and email threat takeovers.
"Qakbot has persevered by adopting a field-expedient approach to build and develop its architecture. While it may not rely on sheer numbers like Emotet, it demonstrates technical craft by varying initial access methods and maintaining a resilient yet evasive residential C2 architecture," said researchers.