Sophos Network Detection and Response (NDR) uses encrypted packet analysis to identify new command and control (C2) servers as they emerge. Unlike traditional IOC-based detection, which relies on known indicators of compromise, our model performs continuous monitoring of clear text and encrypted network flows to build an image of the flow. This image is then processed by a Convolutional Neural Network (CNN) image recognition model, which determines the probability that the communication is associated with a particular malware family, such as QBOT.
By continuously monitoring the communication behavior and patterns of QBOT and other malware families, our ML model provides resilient protection against them. Once deployed, the detection model does not require any updates, making it a powerful defense against rapidly evolving threats.
The ability of our ML model to identify suspect C2 servers without relying on additional threat intelligence is a significant advantage. Adversaries attempting to bypass this type of protection would need to make significant modifications to the QBOT agent, which is a difficult and time-consuming task. As we continue to monitor the evolution of QBOT and other malware families, we will update our ML model accordingly to ensure that our customers remain protected.
For those unfamiliar with CNN models, they are a type of deep learning algorithm used primarily in image and video recognition and processing. CNN models automatically recognize patterns and features within the input data, such as pixels in an image or frames in a video, through a process of convolution and pooling layers.
The convolution layer performs a mathematical operation on the input data, extracting features or patterns from the data. The pooling layer then reduces the spatial size of the convolved features by subsampling, which helps in reducing the number of parameters and controlling overfitting.
CNN models are widely used in various applications such as object recognition, facial recognition, natural language processing, and more.With Sophos NDR we are now demonstrating this models ability to improve detection of malware families.
Here are some of the additional QBOT C2 servers that we are currently detecting:
| IP Address | Port | Malware Family | JARM | VirusTotal |
|---|---|---|---|---|
| 31.50.179.221 | 50000 | QakBot | 21d14d00021d21d21c42d43d0000007abc6200da92c2a1b69c0a56366cbe21 | https://www.virustotal.com/gui/ip-address/31.50.179.221/community |
| 102.157.224.79 | 443 | QakBot | 21d14d00021d21d21c42d43d0000007abc6200da92c2a1b69c0a56366cbe21 | https://www.virustotal.com/gui/ip-address/102.157.224.79/community |
| 108.190.115.159 | 443 | QakBot | 21d14d00021d21d21c42d43d0000007abc6200da92c2a1b69c0a56366cbe21 | https://www.virustotal.com/gui/ip-address/108.190.115.159/community |
| 142.126.169.223 | 2222 | QakBot | 21d14d00021d21d21c42d43d0000007abc6200da92c2a1b69c0a56366cbe21 | https://www.virustotal.com/gui/ip-address/142.126.169.223/community |
| 76.16.49.134 | 443 | QakBot | 21d14d00021d21d21c42d43d0000007abc6200da92c2a1b69c0a56366cbe21 | https://www.virustotal.com/gui/ip-address/76.16.49.134/community |
Thank you for your attention to this matter. If you have any questions or concerns, please do not hesitate to contact us.
For those looking for more information on Sophos NDR, the White Paper is a great starting point: White Paper: NDR Explained