In this short article I’ll outline some analysis I performed on the QBot/QakBot malware family with Zeek.
I took a look at the following PCAPs from this family of malware, hoping to make it into a Zeek Roulette:
- https://www.malware-traffic-analysis.net/2022/12/09/index.html
- https://www.malware-traffic-analysis.net/2022/10/14/index.html
- https://www.malware-traffic-analysis.net/2022/09/29/index.html
- https://www.malware-traffic-analysis.net/2023/01/31/index.html
- https://www.malware-traffic-analysis.net/2023/04/03/index.html
- https://www.malware-traffic-analysis.net/2023/03/31/index.html
You will see that in each of the malware write ups, and in the PCAPs, that the malware C2 is sent across HTTPS. That limits our ability to detect the raw C2.
Initially, I thought I could potentially use the JA3/JA3S hashes in Zeek to identify C2 clients and servers through their HTTPS parameters.
I specifically looked at: https://www.malware-traffic-analysis.net/2023/03/31/index.html and the C2, according to the notes downloaded from that link, happens over TCP 2222 and 443. The JA3 and J3S are:
72a589da586844d7f0818ce684948eea
fd4bc6cea4877646ccd62f0792ec0b62
I took these hashes and ran them across a large live network I am able to monitor. Specifically, I searched the ssl.log over the past week on this network. I got hits with the hashes separately (as if they were OR’d) that looked like legitimate SSL traffic, so I looked for the times when the JA3 and JA3S matched. In that case I saw a connection between a local network asset and McAfee, Inc. The probability is low that McAfee would have a C2 server, so I think this detection method may not work so well.
After finding a couple more hits that flagged connections where it looked like false positives, I don’t see how the JA3 analysis will identify this malware family.
I will continue to think on this one, but C2 like this over HTTPS is much more difficult to detect.
Leave a Reply