Researchers from Lumen Black Lotus Labs have conducted a thorough analysis of the QBOT botnet and discovered that 25% of its Command-and-Control (C2) servers are active for no longer than a day, and 50% for no more than a week. This indicates an adaptive and dynamic infrastructure of harmful software.
According to security specialists Chris Formosa and Steve Radd, QBOT employs techniques to conceal its infrastructure in the resident IP addresses and infected web servers instead of hiding on the network of hosting virtual private servers (VPS).
QBOT, also known as QAKBOT and PINKSLIPBOT, is a constant and powerful threat that originated as a bank Trojan in 2007 and developed into a bootloader for other payloads, including ransomware.
The malware enters victims’ devices through specialized phishing emails containing Primani files or using harmful redirection methods.
It is worth noting that the URL was initially created to identify the location of various files on the internet, but over time, it began to be used to identify the addresses of all resources, regardless of their type.