Blogging

Spamhaus Botnet Threat Update: Q3-2021

Q3 has seen an enormous 82% rise within the variety of new botnet command and controllers (C&Cs) recognized by our analysis staff. They have noticed an explosion in using backdoor malware with nefarious operators hiding behind FastFlux. In flip, this has induced a number of new international locations and repair suppliers to be listed in our Top 20 charts. Welcome to the Spamhaus Botnet Threat Update Q3 2021.

FastFlux rising once more

What is FastFlux?

FastFlux is a method utilized by phishers, malware authors, and botnet operators to cover the precise location of their infrastructure behind a community of compromised hosts which are performing as a proxy, forwarding the malicious visitors to the actual backend.

After analyzing this quarter’s statistics, it’s evident that FastFlux is as soon as once more rising in recognition. Here’s a fast FastFlux refresher, together with a deeper dive into how cybercriminals use it to make their infrastructure resilient in opposition to takedowns.

What makes FastFl to cybercriminals?

All FastFlux networks which are at the moment in enterprise might be rented as a service on the darkish net. This makes life straightforward for botnet operators. All they should do is register domains required for the botnet C&Cs and level them to the FastFlux operator’s service. FastFlux takes care of the remainder, guaranteeing that the A information quickly change.

Here’s an instance of a FluBot botnet C&C area hosted on a FastFlux botnet:

;; QUESTION SECTION:
;gurbngbcxheshsj.ru. IN A

;; ANSWER SECTION:
Domain TTL RecordType IP Address
gurbngbcxheshsj.ru. 150 IN A 189.165.94.67
gurbngbcxheshsj.ru. 150 IN A 124.109.61.160
gurbngbcxheshsj.ru. 150 IN A 187.190.48.60
gurbngbcxheshsj.ru. 150 IN A 115.91.217.231
gurbngbcxheshsj.ru. 150 IN A 175.126.109.15
gurbngbcxheshsj.ru. 150 IN A 175.119.10.231
gurbngbcxheshsj.ru. 150 IN A 218.38.155.210
gurbngbcxheshsj.ru. 150 IN A 179.52.22.168
gurbngbcxheshsj.ru. 150 IN A 113.11.118.155
gurbngbcxheshsj.ru. 150 IN A 14.51.96.70

As you may see, the botnet C&C area makes use of ten concurrent A information with a time to reside (TTL) of solely 150 seconds. Monitoring these A information reveals that the underlying FastFlux botnet consists of 100 to 150 lively FastFlux nodes per day.

Generally, these nodes are compromised units, generally Customer Premise Equipment (CPE), insecurely configured (e.g., operating susceptible software program or utilizing commonplace login credentials), and accessible instantly from the web.

These sorts of units are a gentle goal for cybercriminals. They merely must conduct internet-wide scans to find these susceptible units and compromise them. This complete course of can all be automated, making it fast, straightforward, and efficient.

Operators of FastFlux botnets select the geolocation of their goal units they use for FastFlux internet hosting rigorously. As you’ll discover when studying by means of this report, many FastFlux C&C nodes are hosted in locations which are comparatively effectively “digitized,” i.e., have good web connections however will not be as superior alongside the maturity curve when it comes to cybersecurity.

Latin America is often a goal, e.g., Brazil, Chile, Argentina, Uruguay, and Asian international locations similar to Korea. The newcomers to the geolocation statistics on this replace replicate this.

Number of botnet C&Cs noticed, Q3 2021

In Q3 2021, Spamhaus Malware Labs recognized 2,656 botnet C&Cs in comparison with 1,462 in Q2 2021. This was an 82% improve quarter on quarter! The month-to-month common elevated from 487 per thirty days in Q2 to 885 botnet C&Cs per thirty days in Q3.

Geolocation of botnet C&Cs, Q3 2021

Given FastFlux’s affect over the previous quarter, it isn’t shocking that there’s a transparent sample to the newcomers getting into the chart for Q3 2021. Many of the international locations becoming a member of the charts had been chargeable for internet hosting a big share of TeamBot, and FluBot botnet C&C servers – using Fastflux – and match the profile of nations with in depth web protection however much less security-focused.

Significant will increase in Russia

The variety of botnet C&Cs situated in Russia has dramatically risen. This is the second improve quarter on quarter that Russia has skilled:

  • Q1 to Q2 – 19% improve
  • Q2 to Q3 – 64% improve

Therefore, it comes as no shock that in Q3 Russia overtook the United States for the #1 spot.

Continued will increase throughout Europe

The pattern that began in Q2 continued in Q3. Once once more, there was an uptick within the variety of botnet C&C servers hosted in varied European international locations, together with the Netherlands (+63%), Germany (+45%), France (+34%), and Switzerland (+34%).

 

Malware related to botnet C&Cs, Q3 2021

Here are the highest malware households related to newly noticed botnet C&Cs in Q3, 2021 *.

TeamBot and FluBot rising

Have you ever heard of TeamBot? Probably not. While it’s neither a brand new nor extreme menace, TeamBot sits on the prime of the charts with FluBot, each backdoors.

Our menace hunters imagine that TeamBot and FluBot are utilizing the identical FastFlux infrastructure, rotating the identical botnet C&C IP addresses each jiffy, therefore the shared itemizing under.

This quarter, there was an explosion in backdoor malware, making it essentially the most prevalent kind of malware related to botnet C&Cs in Q3 2021.

RedLine wins, Raccoon loses

In 2021, we’ve been observing a battle for pole place between RedLine and Raccoon, each credential stealers, obtainable on the market on the darkish net. While we noticed an enormous improve (571%) of Raccoon botnet C&C servers in Q2 2021, RedLine malware skilled a 71% improve in Q3 2021, displacing Raccoon from its prime spot.

IcedID disappears

IcedID has been comparatively inactivate this 12 months, making a quick look at #18 in Q2 earlier than disappearing once more this quarter. The purpose behind that is unknown. However, our researchers don’t imagine its silence will proceed indefinitely. IcedID is among the Trojans obtainable to ransomware teams for buy on the darkish net.
These Trojans promote entry to company networks – a really profitable enterprise.

 

Malware kind comparisons between Q2 and Q3 2021

Most abused top-level domains, Q3 2021

No adjustments on the prime of the chart

In Q3, .com and .xyz continued to remain on the prime of our rating. The state of affairs deteriorated for these two TLDs, notably .com, which skilled a 90% improve. We hope that VeriSign, the proprietor of this TLD, will take all mandatory steps to enhance this case and improve their TLD’s popularity.

Three new TLDs

Two new gTLDs and one ccTLD joined our Top 20: .membership, .co and .monster. All have seen a major improve within the variety of new botnet C&C domains registered by means of their service.

Most abused area registrars, Q3 2021

We noticed important will increase throughout many of the area registrars listed in our Top 20. China is house
to the biggest share of area registrars, adopted by Canada and the United States. While Canada’s and India’s share share has dropped, many different listed international locations have elevated this quarter. *

In Q2 you noticed Arsys, now you don’t

A nod of approval to Arsys, who was a brand new entry at #5 in Q2. They seem to have taken optimistic steps to make sure their TLD stays as clear as potential and dropped off the Top 20 in Q3, together with HelloChina, 1API, Name.com, and 55hl.com. Excellent work to all these registrars.

Reseller points

In Q3, we noticed the largest will increase in newly registered botnet C&C domains at CentralNic (+488%), Tucows (+266%), RegRU (+252%), West263.com (+168%), and Network Solutions (+163%).

The overwhelming majority of fraudulent area identify registrations originate from poor resellers who’ve inappropriate or non-existent buyer vetting in place.

Registrars can wrestle to penalize these soiled resellers for a lot of causes, together with poorly written Terms of Services (ToS). However, different issues may
come into play, similar to a vested monetary curiosity or a elementary lack of motivation to take accountability for these points.

We hope that these registrars will enhance their popularity shortly by implementing stricter measures on their resellers to make sure they try to battle in opposition to the registration of fraudulent domains.

 

Location of Most Abused Domain Registrars

Networks internet hosting essentially the most newly noticed botnet C&Cs, Q2 2021

As typical, there have been many adjustments within the networks internet hosting newly noticed botnet C&Cs. Notably, there was an inflow of networks internet hosting FastFlux botnet C&Cs, utilized by cybercriminals to host backdoor malware.

Does this listing replicate ho handled at networks?

While this Top 20 itemizing illustrates that there could also be a difficulty with buyer vetting processes, it doesn’t replicate on the pace abuse desks cope with reported points. See “Networks hosting the most active botnet C&Cs” to view networks the place abuse isn’t handled in a well timed method.

serverion.com

We have seen a 69% improve within the variety of new botnet C&C servers put in on the Dutch internet hosting supplier serverion.com. Our researchers imagine that this improve is predominantly because of their downstream buyer des.capital, which tends to draw botnet operators.

Making optimistic adjustments

In final quarter’s replace, we reported {that a} botnet internet hosting operation had moved from Amazon to DigitalOcean, inflicting the latter’s listings to rocket. We need to congratulate DigitalOcean for dropping off our Top 20 listing in Q3 2021, together with different networks, together with Google, who had been at #2, HostSailor, Microsoft, M247, and Off Shore Racks.

Networks internet hosting essentially the most lively botnet C&Cs, Q3 2021

Finally, let’s check out the networks that hosted a lot of lively botnet C&Cs in Q3 2021. Hosting suppliers who seem on this rating both have an abuse downside or don’t take the suitable motion when receiving abuse reviews.

An improve in botnet C&C abuse

Sadly, the state of affairs when it comes to lively botnet C&C servers deteriorated for a lot of ISPs who had been on our Top 20 in Q2. Ipjetable.internet (FR), microsoft.com (US), vietserver.vn (VN), and openvpn (SE) all have one factor in widespread: Instead of taking acceptable measures in opposition to the abuse on their infrastructure, the variety of lively botnet C&C servers elevated in these networks.

uninet.internet.mx & stc.com.sa

These two ISPs are new to our Top 20 this quarter and have taken #1 and #2 spots as a result of huge variety of FastFlux bots hosted on their networks.

In truth, the vast majority of the newcomers to this chart are because of internet hosting FastFlux bots on their networks and never responding shortly to abuse reviews. All these firms are offering a resilient botnet C&C infrastructure for botnet operators.

That’s all for now. Stay protected and see you in January!

Updated 18 Oct 2021:

  1. CobaltStrike was reported as being a Remote Access Tool when this report was initially revealed. We have up to date to replicate it’s Threat Emulation Software.
    ↩︎
  2. Two registrars (NameSilo & Tucows) had been reported as being US-based suppliers when this report was initially revealed. We have up to date the textual content and knowledge to replicate they’re primarily based in Canada.
    ↩︎

Download the Spamhaus Botnet Report 2021 Q3 as PDF

Related Articles

Leave a Reply

Back to top button