Hunting Malicious Infrastructure using JARM and HTTP Response
Hunting QBot C2 and Brute Ratel C4 Infrastructure
In this blog, I will explain my hunting methodology with two practical examples.
- QBot C2
- Brute Ratel C4
I choose these two because despite the difference between Brute Ratel C4 and QBot this methodology (JARM and HTTP Response hash) is applicable to both examples and provides great results.
My process starts always looking for the first node in phase one, analyzing and pivoting in phase two, and results in phase three.
Step by step my approach to hunting malicious infrastructure.
Hunting QBot C2 Infrastructure (step-by-step guideline)
Looking for the first Node
This is our starting point where we should look for our first malicious C2. I recommend three options VirusTotal, Threat Fox, and Twitter where I usually look for the first node.
This is our starting point 18.104.22.168 (I grabbed this IP from Twitter) and our goal is to escalate from one malicious C2 to identify hundreds or sometimes thousands of them.
When analyzing our first node I recommend always paying attention to the patterns for example certificates, ports, and HTTP Response.
It is important to identify JARM for the implemented certificates.
All that information is required to understand how the threat actors build malicious infrastructure and based on that how we…