Microsoft did a good job slowing down malware distribution last year when it finally blocked macros from running in Office files downloaded from the open internet. But when it comes to the dreaded Qbot malware, the block was only a minor setback.
The newest research from Black Lotus Labs, based on telemetry from Lumen’s global IP backbone, shows Qbot’s operators were quick to adapt, changing not just their distribution and deployment methods, but also command & control servers (C2).
All things considered, Qbot is no less of a threat now than it was back when macro-laden Office files were the talk of the town.
“Qakbot has persevered by adopting a field-expedient approach to build and develop its architecture,” the report states. “While it may not rely on sheer numbers like Emotet, it demonstrates technical craft by varying initial access methods and maintaining a resilient yet evasive residential C2 architecture.”
When Microsoft made the major macro change, Qbot’s operators laid low for a few months, only to re-emerge at the start of 2023 with new distribution methods. Those include malicious OneNote files, Mark of the Web evasion techniques, as well as HTML smuggling.
The group has also changed how it manages C2 servers. Nowadays, they keep them hidden in compromised web servers and host in an existing residential IP space (as opposed to a hosted VPS).
As it’s hard to persist on these endpoints, the servers don’t stick around for long. However, their strength is in the numbers, as up to 90 new C2s are brought up every week, during the botnet spam cycle.
Furthemore, the operators are able to bolster their C2 numbers by turning bots into servers. This is essential to the operation, the researchers say, as 25% of C2 are active for only a day, and 50% don’t last longer than a week.
All things considered, it’s safe to assume Qbot is going to be around for a long time, the researchers conclude: “There are currently no signs of Qakbot slowing down,” they say.
Via: The Register