As malware continues to evolve and adversaries become more adept at evading detection, dynamic AI and machine learning technologies are critical for detection of the latest threats and attacks.
Sophos NDR utilizes a series of machine learning models that are regularly retrained to account for evolving malware families. This approach allows Sophos NDR to identify new malware variants operating covertly deep within the network, even within encrypted traffic, that may be attempting to make calls to previously unidentified command and control servers.
Recently, Sophos NDR updates detected two new QakBot servers that had not yet been publicly identified. These servers were being used by threat actors to manage and control QakBot infections, a banking trojan that has been active since 2008 and primarily targets financial institutions and their customers.
The detection of these new QakBot servers highlights the ongoing threat posed by banking trojans and the need for advanced threat detection and response capabilities. Sophos NDR’s detection of the QakBot servers using encrypted packet analysis technology demonstrates the importance of analyzing encrypted traffic to identify advanced threats.
Sophos NDR’s encrypted packet analysis (EPA) technology allows it to detect potential threats without relying on decrypted content. In the table below, you can see the details of the two newly discovered QakBot servers, including the EPA model confidence, detected malware family, flow risks, and TLS information.
| Detection | IP Address | Port | EPA Model Confidence | Malware Family | Flow Risks | TLS Info | Virus Total Details | Other |
|---|---|---|---|---|---|---|---|---|
| QakBot C2 Server | 142.118.95.50 | 2222 | 99.014% | QakBot, Qbot, Quakbot | KNOWN_PROTOCOL_ON_NON_STANDARD_PORT TLS_NOT_CARRYING_HTTPS TLS_MISSING_SNI |
TLS version 1.2 Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 JA3C: 72a589da586844d7f0818ce684948eea JA3S: fd4bc6cea4877646ccd62f0792ec0b62 JARM: 21d14d00021d21d21c42d43d0000007abc6200da92c2a1b69c0a56366cbe21 |
https://www.virustotal.com/gui/ip-address/142.118.95.50/community | Unpopular Destination |
| QakBot C2 Server | 173.18.122.24 | 443 | 98.509% | QakBot, Qbot, Quakbot | TLS_NOT_CARRYING_HTTPS TLS_MISSING_SNI |
TLS version 1.2 Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 JA3C: 72a589da586844d7f0818ce684948eea JA3S: fd4bc6cea4877646ccd62f0792ec0b62 JARM: 21d14d00021d21d21c42d43d0000007abc6200da92c2a1b69c0a56366cbe21 |
https://www.virustotal.com/gui/ip-address/173.18.122.24/community | Unpopular Destination |
There have been several cybercriminal groups that have been associated with using QakBot in the past. Some of the notable groups include:
- Evil Corp: This Russian cybercrime group is known for deploying various banking trojans, including QakBot. They have been linked to several high-profile attacks on financial institutions, with the primary goal of stealing large sums of money.
- TA505: This group is believed to be based in Eastern Europe and is known for conducting large-scale phishing campaigns to distribute QakBot and other malware. They are also associated with the Dridex banking trojan and the Locky ransomware.
- FIN7: This group is known for targeting hospitality, restaurant, and retail industries using phishing emails and deploying QakBot and other malware to steal payment card data. They have also been linked to the Carbanak and Cobalt Strike malware.
For more information on the Sophos NDR product, please check out the Sophos NDR Explained whitepaper.