The QakBot malware operators have established 15 new command-and-control (C2) servers in (*15*) 2023, following a break of their spamming actions. The cybersecurity agency, Team Cymru, questions whether or not this break is a time for the operators to refine and replace their infrastructure and instruments. QakBot’s C2 community is tiered, with C2 nodes speaking with upstream T2 C2 nodes hosted on Russian VPS suppliers. Most of the bot C2 servers are situated in India and the U.S., with outbound connections based totally within the U.S., India, Mexico, and Venezuela. A BackConnect server can also be current, turning contaminated bots into proxies for malicious functions. Black Lotus Labs’ null-routing of the higher-tier infrastructure in May 2023 has considerably decreased the quantity of C2s speaking with the T2 layer. Six energetic C2 servers and two servers that got here alive in (*15*) proceed to point out exercise in July after spamming concluded. Team Cymru observes a sample the place spikes in outbound T2 connections regularly correspond with a decline in bot C2 exercise, successfully defending customers from compromise by slicing off communications to upstream servers.
Source hyperlink
