New QakBot C2 servers detected with Sophos NDR

Credit to Author: Karl Ackerman| Date: Thu, 20 Apr 2023 13:32:24 +0000

As malware continues to evolve and adversaries become more adept at evading detection, dynamic AI and machine learning technologies are critical for detection of the latest threats and attacks.

Sophos NDR utilizes a series of machine learning models that are regularly retrained to account for evolving malware families. This approach allows Sophos NDR to identify new malware variants operating covertly deep within the network, even within encrypted traffic, that may be attempting to make calls to previously unidentified command and control servers. 

Recently, Sophos NDR updates detected two new QakBot servers that had not yet been publicly identified. These servers were being used by threat actors to manage and control QakBot infections, a banking trojan that has been active since 2008 and primarily targets financial institutions and their customers.

The detection of these new QakBot servers highlights the ongoing threat posed by banking trojans and the need for advanced threat detection and response capabilities. Sophos NDR’s detection of the QakBot servers using encrypted packet analysis technology demonstrates the importance of analyzing encrypted traffic to identify advanced threats.

Sophos NDR’s encrypted packet analysis (EPA) technology allows it to detect potential threats without relying on decrypted content. In the table below, you can see the details of the two newly discovered QakBot servers, including the EPA model confidence, detected malware family, flow risks, and TLS information.

There have been several cybercriminal groups that have been associated with using QakBot in the past. Some of the notable groups include:

  • Evil Corp: This Russian cybercrime group is known for deploying various banking trojans, including QakBot. They have been linked to several high-profile attacks on financial institutions, with the primary goal of stealing large sums of money.
  • TA505: This group is believed to be based in Eastern Europe and is known for conducting large-scale phishing campaigns to distribute QakBot and other malware. They are also associated with the Dridex banking trojan and the Locky ransomware.
  • FIN7: This group is known for targeting hospitality, restaurant, and retail industries using phishing emails and deploying QakBot and other malware to steal payment card data. They have also been linked to the Carbanak and Cobalt Strike malware.
The Sophos NDR EPA model converts packet flows to images and uses a neural network to determine if the image matches what we expect QakBot to look like.  For those interested in what that image looks like I have included them here.
For more information on the Sophos NDR product, please check out the Sophos NDR Explained whitepaper.

http://feeds.feedburner.com/sophos/dgdY

Leave a Reply