Updated: Jul 20
A Data-Driven Approach based on Analysis of Network Telemetry
This blog post seeks to draw out some high-level trends and anomalies based on our ongoing tracking of QakBot command and control (C2) infrastructure. By looking at the data with a broader scope, we hope to supplement other research into this particular threat family, which in general focuses on specific infrastructure elements; e.g., daily alerting on active C2 servers.
This blog represents an ongoing piece of research, our analysis of QakBot is fluid with various hypotheses being identified and tested. As and when we uncover new insights into QakBot campaigns we will seek to provide further written updates.
We are not going to go over the entire history and functionality of Qakbot, for which there are numerous, well written reports on the subject. However, there are a couple of details relevant for this analysis worth mentioning.
Qakbot campaigns are tracked by the threat actors via affiliate IDs that are included in the malware configurations, at present the most active are “Obama” and “BB”.
Whilst each malware configuration includes a list of around 100 to 150 potential C2s, only a fraction are actually used for bot communications.
Refill your coffee and get comfortable, things are about to get data heavy.
QakBot C2 servers are not separated by affiliate ID.
QakBot C2 servers from older configurations continue to communicate with upstream C2 servers months after being used in campaigns.
Identification of three upstream C2 servers located in Russia, two of which behave similarly based on network telemetry patterns and the geolocations of the bot C2s communicating with them.
When one upstream C2 server goes down for a period of time, other upstream C2 servers see a spike in C2 traffic volume.
The majority of Qakbot bot C2 servers are likely compromised hosts that were purchased from a third-party. Based on our data, most of these compromised hosts are located in India.
Active C2 Servers
By analyzing outbound connections from known victim-facing C2 servers, we are able to determine upstream management (Tier 2) infrastructure based on communications with common peers. In most cases a particular management port is utilized and generally communications are ‘ongoing’ for extended periods.
Once this Tier 2 (T2) management layer is identified, we are able to further determine which victim-facing C2 servers are currently active, based on the observation of connections to this T2 layer.
This is a family agnostic process, not limited to QakBot C2 infrastructure.
In the case of Qakbot, C2 servers from campaigns associated with the affiliate IDs “Obama” and “BB” have been communicating with the same three upstream Russian T2 servers over TCP/443 for months.
Russian IP space is often used in higher tiers of botnet infrastructure due to the protection it offers against (non-Russian) LEA activity and researcher visibility. It is a bit of a catch-22, however, since repeated outbound connections to Russian IP space from source IPs located in various random countries tend to stand out as anomalous, or at least, of interest.
Using C2 configuration data from April 2023 QakBot campaigns, we confirmed that the upstream Russian T2 servers remained unchanged. We then sifted through all of the C2 servers to identify those that connected to them over TCP/443. Interestingly, most of the C2 servers with this upstream traffic were listed in configurations from both Obama and BB campaigns. Five IPs were unique to Obama campaigns, and only one was unique to BB within this timeframe (specifically BB23 with campaign ID 1681114726).
Obama & BB
Bot C2s to Upstream T2s
The graphs below display the volume of traffic flows from 1 March to 8 May 2023 for the active C2 servers identified above, categorized by the affiliate configurations they appeared in. Each color represents one of the upstream Russian IPs, referred to as RU1, RU2, and RU3.
April C2 servers present in both Obama and BB campaigns
April C2 servers only present in Obama campaigns
April C2 servers only present in BB campaigns
In general, the affiliates do not seem to be separated by the upstream infrastructure with which their C2 servers communicate. However, there are some exceptions. For instance, a single unique BB C2 was live for two days and mostly communicated with RU3, with one connection to RU2 on the first day. C2s from the Obama campaigns primarily communicated with RU2 and RU3, although there were a few interactions with RU1 in early April.
In April, there seems to be a gap in activity for RU2 and RU3. To gain a clearer understanding of the overall C2 to T2 traffic volumes, it is necessary to combine all active C2s from April, regardless of affiliation.
All April C2 Servers
RU2 and RU3 exhibit similar patterns to each other, while RU1 follows a separate pattern. Traffic volumes consistently decrease over weekends for all three, a trend commonly observed in e-crime infrastructure. Interestingly, RU2 and RU3 were nearly inactive from 21 April until 1 May 2023. Upon resuming activity, C2 communication over TCP/443 spiked to levels twice as high as before the period of inactivity. During the inactivity period, there was a significant surge in traffic volume to RU1. However, just before the return of RU2 and RU3 in early May, the traffic volume to RU1 reduced to roughly match their volume patterns.
Many C2 servers from this timeframe became active around mid-March and increased their activity beyond April. For comparison, the graph below includes all other confirmed or high confidence C2 servers that communicated with the Russian IPs over TCP/443 since 26 January 2023 (but were not included in April campaigns).
C2 Servers First Active Prior to April 2023
These previous C2 servers experienced spikes in activity, presumably when they were included in malware configurations, as observed with the C2 servers identified as active during April 2023. Subsequently, the traffic volume of these previous C2 servers significantly decreased but remained active.
In a future blog post, we will revisit this topic and explore the timelines of C2 servers and the relationships between affiliates.
From this perspective, there are fewer similarities between RU2 and RU3, although they still share more alignment than with RU1. It also appears there have been previous periods of inactivity when C2 servers ceased communicating with an upstream Russian IP, as observed with RU1 from 25 February to 6 March 2023. These older C2 servers also stopped communicating with RU1 for approximately three weeks from the end of March through April, but they resumed connections on 19 April 2023. C2 servers included in April campaigns continued to communicate with RU1 during this period.
Telemetry by IP Geolocation
There appears to be a potential relationship between RU2 and RU3 based on the April C2 traffic volume patterns. Hypothesizing from Qakbot's intermittent use of geofencing payloads, perhaps this relationship is influenced by geolocation. The following comparison shows confirmed and high confidence C2s, active between 26 January and 8 May 2023, categorized by geolocation for each of the three Russian T2s.
This section is caveated by the potential for observation bias. Team Cymru’s global coverage varies from region to region, and from day to day based on sampling rates and data volumes.
The volume and diversity of C2s for all three Russian T2s changed their patterns around the second week of March, with increased activity for India (IN) and United States (US) located IPs, and a decrease in the number of different GEOs with active C2 servers. RU2 and RU3 once again exhibit similar patterns and receive traffic from all US-based C2 servers, as well as C2s from other North American locations not observed with RU1.
During this timeframe, RU1 showed less diversity compared to RU2 and RU3, predominantly utilizing hosts located in India. There were only two short periods in February and March when US and Czech Republic (CZ) C2 servers connected to RU1.
The CZ hosts were seen communicating with all three T2s around the same time period in February. More recently, hosts geo-tagged as South African (ZA) have started communicating with all three T2s, but most consistently connect to RU1.
One last thing to note: Qakbot C2 servers are historically compromised machines, either purchased from third parties or infected and turned into bots (although the latter is less common). Combining the above information into one graph reveals that starting in March, India is by far the most prevalent country for active Qakbot C2s. These compromised machines are most likely purchased from a broker serving the e-crime community.
This analysis provides a recent snapshot of the Qakbot infrastructure, highlighting observed trends and anomalies. By visualizing this data through line charts, we have uncovered intriguing insights into the inner workings of Qakbot's infrastructure. While the data can be utilized to identify potential threats and implement proactive measures, the primary focus of this post is to highlight the interesting data points that can be uncovered through network telemetry analysis. By leveraging these insights, readers can gain a deeper understanding of the tactics and strategies employed by cybercriminals to carry out their attacks.
We recommend that the IOCs listed at the end of this blog post are used by cyber defenders to hunt for existing QakBot infections, as well as in blocking future attacks.
For users of Pure Signal™ Recon and Scout, the aforementioned Russian T2 servers are identifiable by querying against the IOC list; filtering on outbound connections to remote TCP/443.
Pivoting on inbound connections to the Russian T2 servers will illuminate new QakBot C2 infrastructure over time.
Indicators of Compromise
Below are the confirmed Qakbot bot C2 servers that we have identified communicating with upstream T2 infrastructure over TCP/443 this year.