New QakBot C2 servers detected with Sophos NDR

As malware continues to evolve and adversaries become more adept at evading detection, dynamic AI and machine learning technologies are critical for detection of the latest threats and attacks.

Sophos NDR utilizes a series of machine learning models that are regularly retrained to account for evolving malware families. This approach allows Sophos NDR to identify new malware variants operating covertly deep within the network, even within encrypted traffic, that may be attempting to make calls to previously unidentified command and control servers. 

Recently, Sophos NDR updates detected two new QakBot servers that had not yet been publicly identified. These servers were being used by threat actors to manage and control QakBot infections, a banking trojan that has been active since 2008 and primarily targets financial institutions and their customers.

The detection of these new QakBot servers highlights the ongoing threat posed by banking trojans and the need for advanced threat detection and response capabilities. Sophos NDR’s detection of the QakBot servers using encrypted packet analysis technology demonstrates the importance of analyzing encrypted traffic to identify advanced threats.

Sophos NDR’s encrypted packet analysis (EPA) technology allows it to detect potential threats without relying on decrypted content. In the table below, you can see the details of the two newly discovered QakBot servers, including the EPA model confidence, detected malware family, flow risks, and TLS information.