In this short article I’ll outline some analysis I performed on the QBot/QakBot malware family with Zeek.
I took a look at the following PCAPs from this family of malware, hoping to make it into a Zeek Roulette:
You will see that in each of the malware write ups, and in the PCAPs, that the malware C2 is sent across HTTPS. That limits our ability to detect the raw C2.
Initially, I thought I could potentially use the JA3/JA3S hashes in Zeek to identify C2 clients and servers through their HTTPS parameters.
I specifically looked at: https://www.malware-traffic-analysis.net/2023/03/31/index.html and the C2, according to the notes downloaded from that link, happens over TCP 2222 and 443. The JA3 and J3S are:
I took these hashes and ran them across a large live network I am able to monitor. Specifically, I searched the ssl.log over the past week on this network. I got hits with the hashes separately (as if they were OR’d) that looked like legitimate SSL traffic, so I looked for the times when the JA3 and JA3S matched. In that case I saw a connection between a local network asset and McAfee, Inc. The probability is low that McAfee would have a C2 server, so I think this detection method may not work so well.
After finding a couple more hits that flagged connections where it looked like false positives, I don’t see how the JA3 analysis will identify this malware family.
I will continue to think on this one, but C2 like this over HTTPS is much more difficult to detect.