FBI Joint Indicator Bulletin: Signs That Your System is Infected With the Quakbot Botnet

Notification:

This Joint Indicator Bulletin is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. The DHS does not endorse any commercial product or service, referenced in this bulletin or otherwise. This document is marked TLP: GREEN. Recipients may only share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. For more information on the Traffic Light Protocol, see http://www.us-cert.gov/tlp.

Summary:

This Joint Indicator Bulletin (JIB) is the result of efforts between the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC)/United States Computer Emergency Readiness Team (US- CERT) and the Federal Bureau of Investigation (FBI) to highlight known cyber threat indicators.

Qakbot (aka Qbot) is an information stealing botnet capable of spreading across a network via network shares. Although Qakbot has been infecting computers since 2009, US-CERT has observed a recent increase in reporting of new infections.

The purpose of this JIB is to provide indicators related to this Qakbot botnet activity.

Analysis:

 

Host IPv4: 181.224.138.240

Characterization: Exfiltration

Notes: Traffic to this FTP server has been observed over TCP ports 21 and 22. It is possible Command and Control (C2) traffic was also routed through this IP address on port 443. Other C2 traffic goes through port 65400. Please note this IP is hosting hundreds of domains.

 

Host IPv4: 162.144.12.241

Characterization: Exfiltration

Notes: Traffic to this FTP server has been observed over TCP ports 21 and 22. It is possible Command and Control (C2) traffic was also routed through this IP address on port 443. Other C2 traffic goes through port 65400. Please note this IP is hosting hundreds of domains.

 

Host IPv4: 65.182.187.52

Characterization: Exfiltration

Notes: Traffic to this FTP server has been observed over TCP ports 21 and 22. It is possible Command and Control (C2) traffic was also routed through this IP address on port 443. Other C2 traffic goes through port 65400. Please note this IP is hosting hundreds of domains.

 

Host IPv4: 66.7.210.190

Characterization: Exfiltration

Notes: Traffic to this FTP server has been observed over TCP ports 21 and 22. It is possible Command and Control (C2) traffic was also routed through this IP address on port 443. Other C2 traffic goes through port 65400. Please note this IP is hosting hundreds of domains.

 

Host IPv4: 66.96.134.31

Characterization: Exfiltration

Notes: Traffic to this FTP server has been observed over TCP ports 21 and 22. It is possible Command and Control (C2) traffic was also routed through this IP address on port 443. Other C2 traffic goes through port 65400. Please note this IP is hosting hundreds of domains.

 

Host URL: http://forumity.com/show-ip.php

Characterization: Domain Watchlist

Notes: The malware has been observed reaching out to this domain.

 

Host URL: http://www.ip-adress.com

Characterization: Benign

Notes: The malware has been observed reaching out to this domain.

 

Host URL: http://ajax.nickspizzade.com

Characterization: Domain Watchlist

Notes: The malware has been observed reaching out to this domain.

 

Host IPv4: 193.111.140.236

Characterization: C2

Notes: The malware has been observed reaching out to this IP address over port 65200.

Points of Contact

Recipients of this bulletin are encouraged to contribute additional information related to this cyber threat malicious activity leveraging social media sites, or other similar activity. Include the JIB reference number in the subject line of all email correspondence. For any questions related to this report, please contact NCCIC/US-CERT or the FBI at:

NCCIC/US-CERT:

(UNCLASS) Phone: +1-703-235-8832

(UNCLASS) Email: soc@us-cert.gov

(SIPRNET) Email: us-cert@dhs.sgov.gov

(JWICS) Email: us-cert@dhs.ic.gov

FBI:

(UNCLASS) Phone: +1-855-292-3937

Questions? Contact the Compliance Hotline: 1.800.546.4465, compliance@nwcua.org.

Posted in Article Post.