Published on October 14th, 2019 📆 | 5716 Views ⚑
0Spamhaus Botnet Threat Update: Q3-2019
You would be right to assume that malware authors and botnet operators in the Northern Hemisphere took a break over the summer months. Unfortunately, that assumption would be incorrect; the amount of newly detected botnet command & control servers (C&Cs) reached an all-time high in July this year with more than 1,500 botnet C&Cs detected by Spamhaus Malware Labs. This is far in excess of the monthly average, set in the first half of this year, of 1,000 botnet C&Cs.
One of the most notorious botnets called âEmotetâ, however, did appear to go on vacation. This botnet went silent for several months, but returned in September with a large scale spam campaign.
Spotlight: Emotet returns from Summer Break
Emotet â a modular (banking) trojan
Emotet, also known as âHeodoâ, was a former ebanking Trojan that targeted e-banking customers around the world. In 2018, Emotet ceased itâs ebanking fraud activities and started to offer infected computers on a âPay-Per-Installâ model to other cybercriminals. As of 2019, Emotet is one of the most dangerous botnets and indirectly responsible for a large amount of ransomware campaigns like Ryuk.
In June this year, the notorious Emotet botnet went quiet, as noted in the Q2 2019 Botnet Threat Update. The threat actors behind Emotet abruptly stopped sending out their daily spam campaigns that were responsible for distributing the Trojan around the globe. However, the botnet itself remained active.
The reason for the sudden disappearance of Emotet remains unclear. While some security researchers thought that Emotet had gone for good, the majority believed that it was just a matter of time until Emotet reappeared on the threat landscape. The latter turned out to be correct.
In September 2019, almost three months after Emotet had stopped emitting spam, the threat actor âreactivatedâ the botnet. Emotet became live again . It didnât take long until the first Emotet spam campaigns started to flood millions of email boxes again. It appears that Emotet simply had an extended summer vacation.
During the three months that Emotet was inactive nothing changed in its modus operandi; once infected, Emotet tries to steal the following information from a victimâs machine:
- Email address book
- Email credentials (Username / Password / SMTP server)
- Email conversations
Emotet exfiltrates the stolen information from the victimâs machine to a botnet C&C server. Subsequently, the threat actor uses the stolen information to send out malspam campaigns in the name of the victim by âhijackingâ legit email conversations and abusing the stolen email credentials.
Dependent on the IT environment and geographical location of the victimâs machine, Emotet may drop additional malware, for example, Gozi, Quakbot, or TrickBot. Some of these Trojans are used for lateral movement; e.g., once inside a corporate network, they then drop ransomware like Ryuk or MegaCortex.
Number of botnet C&Cs observed, Q3 2019
What is a âfraudulent sign-upâ?
This is where a miscreant is using a fake, or stolen identity, to sign-up for a service, usually a Virtual Private Server (VPS) or a dedicated server, for the sole purpose of using it for hosting a botnet C&C.
As we mentioned at the beginning of this update, the number of newly detected botnet C&Cs, resulting from fraudulent sign-ups, continued to increase in Q3 2019. Spamhaus Malware Labs detected approximately 1,300 new botnet C&Cs per month. This was a 30% increase on the monthly averages seen in the first two quarters of 2019. Even more worrying; we have observed and blocked more botnet C&Cs to date in 2019 than we did in the whole of 2018:
- Q1-Q4, 2018 - 10,263 botnet C&Cs
- Q1-Q3, 2019 â 10,402 botnet C&Cs
Given this statistic, it will come as no surprise that in July 2019 we detected 1,587 new botnet C&C servers â which is a new monthly record!
Malware associated with botnet C&Cs, Q3 2019
The most notable change between Q2 and Q3 has to be that of TrickBot. We identified a 550% increase in the number of botnet C&Cs we identified that were associated with this malware family. There were additional smaller changes in the malware landscape, with some families dropping out of the charts and others appearing.
Lokibot: While the number of botnet C&C servers associated with Lokibot dramatically decreased by almost 400, Lokibot remained at the top of the chart with the highest number of newly detected botnet C&Cs.
AZORult and TrickBot: AZORult was knocked off its #2 spot by TrickBot. As detailed above, TrikBotâs activity increased significantly over the past 3 months, from 64 botnet C&Cs associated with this malware family in Q2 to 614 in Q3. The good news is that the number of newly detected botnet C&Cs associated with AZORult decreased from 771 in Q2 to only 394 in Q3.
RevengeRAT and AveMariaRAT: We said goodbye to RevengeRAT, which dropped out of the Top 20 chart and got replaced by a newcomer called AveMariaRAT. The high fluctuation of remote access tools (RATs) and Credential Stealers shows the bitter fight to gain market share between malware authors.
Baldr & IcedID: First observed in April 2019, Baldr quickly ascended to the heady heights of #14 in Q2. However, the malwareâs infamy was short-lived and faded away, dropping off the chart in Q3 2019, along with IcedID, an e-banking Trojan.
Most abused top-level domains, Q3 2019
What domains do these statistics include?
Remember that we only count domain names that have been registered fraudulently for the sole purpose of hosting a botnet C&C. These statistics do not include botnet C&Cs hosted on compromised websites or domain names.
This quarter saw the number of country code top-level domains (ccTLDS) increase in the Top 20 list. Almost half of the TLDs were within the ccTDL name space: â.ruâ, â.pwâ, â.euâ, â.gaâ, â.tkâ, â.suâ, â.mlâ, â.cfâ and â.me.â
The leader of the chart remained the same, as in Q2; the generic top-level domain (gTLD) '.com.' Meanwhile the number of fraudulent domain names registered within ccTLD '.ruâ almost halved from 731 domains in Q2 to 392 domains in Q3.
An interesting change to note is that in quarter three two more gTLDs joined â.comâ in Q3 in the top 3: â.netâ and â.infoâ.
Most abused domain registrars, Q3 2019
Namecheap: The US-based domain registrar 'Namecheapâ continued to be the favorite place for malware authors to register their botnet C&C domains.
OpenProvider: The number of fraudulently registered domain names registered through the Dutch domain registrar 'OpenProviderâ (aka 'Hosting Conceptsâ) almost doubled from 188 in Q2 to 344 in Q3, placing them at #3 in the chart.
Register.com: Great work by 'register.comâ, who looks to have improved processes, as they no longer appeared on our Top 20 most abused domain registrars in Q3. This is in stark comparison to Q1, where they accounted for 22% of the total number of registered domains used for botnet C&Cs.
Newcomers: Newcomers to our chart of most abused domain registrars were the German based domain registrar âKey Systemsâ and the French registrar âOVHâ.
Internet Service Providers (ISPs) hosting botnet C&Cs, Q3 2019
Cloudflare
While Cloudflare does not directly host any content, it provides services to botnet operators, masking the actual location of the botnet controller and protecting it from DDoS attacks.
Cloudflare Vs. Alibaba: We continued to see âcloudflare.comâ, a US-based content delivery network (CDN) provider, being one of the preferred options by cybercriminals to host botnet C&C servers. This trend has been evident since 2018. Disappointingly, we have still seen no apparent attempts from Cloudflare to battle the ongoing abuse of their network for botnet hosting and other hostile infrastructure. However, as of Q3, Cloudflare got beaten by the Chinese cloud provider Alibaba, by a narrow margin of 4.
A surge in the number of Botnet C&Cs hosted in Russia: We saw a proliferation of botnet C&Cs hosted across various hosting providers in Russia, notably 'ispserver.comâ, 'reg.ruâ, 'simplecloud.ruâ, 'marosnet.ru' and 'spacenet.ruâ. After a short period of respite, we are once again seeing a trend in cybercriminals moving their infrastructure to Russian Internet service providers.
Google back in the game: In Q1 and Q2 2019, there were a minimal number of botnet C&C servers hosted on Googleâs network. Unfortunately, in Q3, we have seen an increase in newly detected botnet C&C servers being installed on Googleâs Cloud Infrastructure. This has resulted in the return of Google to our Top 20 chart.
Thanks for reading. Weâll see you in 2020! Stay malware free in the meantime.
Download the Spamhaus 2019 Q3 Botnet Report as PDF
Gloss