WIXLIB

Spamhaus BotnetThreat UpdateQ2 2021This quarter, the Spamhaus researchers have observed a12% reduction in newly observed botnet command andcontrollers (C&Cs), which is good news. However, it’s notgood news for everyone; more than one industry-leadingprovider is suffering under the weight of active botnetC&Cs on their networks.Welcome to the Spamhaus Botnet Threat Update Q2 2021.What are botnet controllers?A ‘botnet controller,’ ‘botnet C2’ or ‘botnetCommand & Control’ server is commonlyabbreviated to ‘botnet C&C.’ Fraudstersuse these to both control malware-infectedmachines and to extract personal andvaluable data from malware-infected victims.Botnet C&Cs play a vital role in operationsconducted by cybercriminals who are usinginfected machines to send out spam orransomware, launch DDoS attacks, commite-banking fraud or click-fraud or to minecryptocurrencies such as Bitcoin.Desktop computers and mobile devices, likesmartphones, aren’t the only machines thatcan become infected. There is an increasingnumber of devices connected to the internet,for example, the Internet of Things (IoT)devices like webcams, network attachedstorage (NAS) and many more items.These are also at risk of becoming infected.

SpotlightThe Emotet story continuesYes, we know – we’re still discussing Emotet, despite itstakedown in January. This is because the Emotet narrativedidn’t end the moment it was taken down. Far from it.As a result of the way Emotet proliferated, throughthread hijacking, millions of email accounts were leftcompromised and open to further exploitation by othermalware and ransomware.Spamhaus has spent the past quarter working with theFBI to assist with remediation efforts and reach out tothose affected. To give you an understanding of the scaleof the operation, here are some numbers: 1.3 million compromised email accounts 22,000 unique domains 3,000 networksOur team has been busy contacting the relevant abusedesks, trust and safety departments, and end-users,providing them with remediation data and instructionson how to safeguard these compromised accounts.We’re delighted to report that over 60% of those1.3 million accounts have now been secured. It goes toshow that we all have a role to play in making the interneta safer place.2 Spamhaus Botnet Threat Update Q2–2021What is thread hijacking?This is where miscreants usetheir victim’s existing emailconversations (threads) to spreadmalicious links or attachments tonew victims.An attacker can be far moreconvincing and fool further victimsinto clicking on harmful links ordownloading files by replyingto an existing email thread.

Number of botnet C&Cs observed,Q2 2021Here’s an overview of the number of newly observedbotnet Command & Control servers (C&Cs) in Q2 2021.Spamhaus Malware Labs identified 1,462 botnet C&Cscompared to 1,660 in Q1 2021. This was a decrease of12%. The monthly average dropped from 553 per monthin Q1 to 487 botnet C&Cs per month in Q2.Number of new botnet C&Cs detectedby Spamhaus in anFebQ1Monthly average: 553Q2Monthly average: 487MarApr3 Spamhaus Botnet Threat Update Q2–2021MayJun

Geolocation of botnet C&Cs, Q2 2021We saw multiple changes in the geo-locations thatcybercriminals used to set up new botnet C&C servers,particularly at the lower end of our Top 20 listings,where there was a raft of new entries.Decreases across Latin AmericaThere was a noticeable decrease in Latin Americancountries hosting botnet C&Cs, with Argentina andColombia dropping off the Top 20 list and Brazil seeinga 40% decrease. The only exception to this was Panamawhich was a new entry at #13.Continued increases across EuropeOnce again, we witnessed an increase in the number ofEuropean countries entering the Top 20. This includedthe Czech Republic, Poland, and Finland. Meanwhile,Germany, France, Latvia, and United Kingdom all sawincreases in botnet C&Cs.4 Spamhaus Botnet Threat Update Q2–2021New entriesCzech Republic (#11), Panama (#13),Malaysia (#15), Poland (#15), Finland(#17), Vietnam (#18).DeparturesChina, Sweden, Hong Kong,Argentina, Colombia, Singapore.

Geolocation of botnet C&Cs, Q2 2021(continued)Top 20 locations of botnet C&CsRank CountryQ12021Q22021% ChangeQ on Q#1United States338281-17%#11Czech 21Q22021% ChangeQ on Q-31New entry29290%#3Netherlands207168-19%#13Panama-16New 230%#15Malaysia-15New entry#6Latvia3184171%#15Poland-15New entry#7United Kingdom495716%#17Finland-14New entry#8Ukraine2244100%#18Vietnam-13New helles293831%#20Brazil2012-40%172137115 34115 9681218181310205 Spamhaus Botnet Threat Update Q2–202115

Malware associated with botnet C&Cs,Q2 2021Let’s start with the good news. After the laudable Emotetbotnet takedown in Q1 2021, we are pleased to reportthat no activity from Emotet has been observed.What is a dropper?Dropper popularity increasingIn Q2 there was a shift away from credential stealersand remote access tools (RATs) to droppers.Droppers conceal code to enablemalware to escape detectionby virus scanners i.e. it silentlydrops the malware onto thetargeted system.Raccoon rapidly reaches #1Raccoon only made its first appearance in ourTop 20 last quarter at #8. In Q2, it’s flown up thecharts to take pole position.New entriesCredential stealers for saleNot only is the aforementioned credential stealer,Raccoon, available for purchase on the dark web,but so are the likes of RedLine and Oski, which werenew entries to our charts this quarter. Given the easeof access, it comes as no surprise to see the popularityof these malware growing.6 Spamhaus Botnet Threat Update Q2–2021Oski (#7), Tofsee (#11),STRRAT (#15), CryptBot (#16),CobaltStrike (#17), ServHelper(#18), IcedID (#18).DeparturesEmotet, NetWire, AveMaria,FickerStealer, AZORult,TriumpLoader, Hancitor

Malware associated with botnet C&Cs,Q2 2021 (continued)Malware families associated with botnet C&CsRankQ1 2021Q2 2021% ChangeMalware 24%RedLineRemote Access Tool (RAT)#3698320%AsyncRAT#48366-20%LokiRemote Access Tool (RAT)#5384313%GoziRemote Access Tool (RAT)#6334227%BitRAT#7-28New entryOski#8182644%Vjw0rmCredential Stealer#93624-33%NjRATCredential Stealer#912424-81%RemcosRATe-banking Trojan#116823-66%NanoCoreRemote Access Tool (RAT)#115523-58%AgentTeslaRemote Access Tool (RAT)#11-23New entryTofseeRemote Access Tool (RAT)#143919-51%ArkeiRemote Access Tool (RAT)#15-17New entrySTRRATCredential Stealer#16-16New entryCryptBotCredential Stealer#17-15New entryCobaltStrike#18-14New entryServHelper#18-14New ntial StealerCredential StealerRemote Access Tool (RAT)Remote Access Tool (RAT)Credential Stealer050100150 200 250 300Malware type comparisons betweenQ1 and Q2 20212.56%e-bankingTrojan3.45%23.72%Credential Stealer26.27%34.94%Dropper27.91%38.78%Remote AccessTool (RAT)42.36%0%10%20%Q2 20217 Spamhaus Botnet Threat Update Q2–202130%Q1 202140%50%

Most abused top-level domains, Q2 2021.comFor Q2 2021, the gTLD .com once again made it at thetop of our ranking. Moreover, the number of newlyregistered botnet C&C domains observed on .comincreased by 166%, from 1,549 to 4,113!.xyzWith a vast 114% upsurge this quarter, it comes asno surprise that gTLD .xyz has replaced gTLD .topin the #2 spot.Country code TLDsOnly two new ccTLDs were new to the Top 20this quarter, with .br entering at #5 and .cn at #12.Meanwhile, three ccTLDs improved their reputationand departed the list; .us, .de & .laTop-level domains (TLDs) –a brief overviewThere are several different toplevel domains including:Generic TLDs (gTLDs) – can beused by anyoneCountry code TLDs (ccTLDs) –some have restricted use withina particular country or region;however, others are licensedfor general use giving the samefunctionality of gTLDsDecentralized TLDs (dTLDs) –independent top-level domainsthat are not under the controlof ICANNNew entriesbuzz (#3), br (#5), VIP (#6),cloud (#10), cn (#12), online (#16),live (#17).Departuresme, biz, cc, us, la, co, de.8 Spamhaus Botnet Threat Update Q2–2021

Most abused top-level domains, Q2 2021(continued)Top abused TLDs - number of domainsQ1 2021Q2 2021% TLD#3-662New entrybuzzgTLD#4622607-2%topgTLD#5-208New entrybrccTLD#6-175New 2146103%netgTLD#10-141New entrycloudgTLD#1112414013%tkOriginally ccTLD, now effectively gTLD#12-139New nally ccTLD, now effectively gTLD#15106104-2%mlOriginally ccTLD, now effectively gTLD#16-86New entryonlinegTLD#17-81New 08273-11%cfccTLDRank09 Spamhaus Botnet Threat Update Q2–20211000200030004000

Most abused domain registrars, Q2 2021After many years with no change at the topof our registrar reputation rankings, we finally havesome movement!New entriesNameSiloWe saw an enormous 594% increase of newly registeredbotnet C&C domains at the US domain registrarNameSilo, knocking Namecheap off their #1 ranking.This was quite a feat considering that NameCheap sawa 52% increase in newly registered botnet C&C domains.These are huge numbers!Germany and ChinaIt was not only US-based registrars who saw significantincreases in Q2. The two German-based domainregistrars, Key Systems (56%) and 1API (254%), alsoexperienced growth in the number of botnet domainsregistered through their services, as did almost allthe Chinese registrars listed below, including eNameTechnology who entered our Top 20 at #3.10 Spamhaus Botnet Threat Update Q2–2021eName Technology (#3), Arsys(#5), Xin Net (#10), CentralNic(#11), Network Solutions (#14).Departures101 Domains, Bizcn, OnlineNIC,OVH, NameBright.

Most abused domain registrars, Q2 2021(continued)Most abused domain registrars - number of domainsRankQ1 2021Q2 2021% Change Registrar#12591797594%#262895552%#3-526New entry#485504493%#5-237New entry#6384215-44%Eranet egRURussia#933134306%HiChinaChina#10-125New entryXin NetChinaCentralNicUnited Kingdom22netChinaNameSiloCountryUnited StatesNamecheapUnited StateseName TechnologyChinaAlibabaChinaArsysSpain#11-112New entry#1226110323%#1229110279%#14-101New entry#152899254%#16599256%Key ited StatesNetwork SolutionsUnited States1APIGermany#183589154%Name.comUnited omChina0Location of most abused registrarsCountryBotnets%United 13.3%India1883.3%Russia1351.6%United Kingdom1121.6%Singapore911.6%Total11 Spamhaus Botnet Threat Update Q2–20215773500100015002000

Networks hosting the most newlyobserved botnet C&Cs, Q2 2021There is always lots of change in those hosting themost newly observed botnet C&Cs. This quarterwas no exception.New entriesBulletproof hosting operationIn Q2, one of the most extensive bulletproof hostingoperations moved from Amazon to DigitalOcean.As a result, the amount of newly observed botnetC&Cs at Amazon rapidly decreased. Conversely,there was a sudden increase in new botnet C&Cshosted at DigitalOcean.Microsoft.comWe have seen microsoft.com (US) enter the Top 20.We have observed them hosting a significant amountof Vjw0rm and BitRAT botnet C&C /networks/212 Spamhaus Botnet Threat Update Q2–2021nano.lv (#6), mgnhost.ru (#8),baxet.ru (#10), ipjetable.net (#11),digitalocean.com (#12),internet.it (#14), hostsailor.com(#16), microsoft.com (#17), m247.ro(#8), offshoreracks.com (#19),mivocloud.com (#19).Departuresintersec.host, amazon.com,endurance.com, choopa.com,combahton.net, leaseweb.com,linode.com, ispserver.comcolocrossing.com,dedipath.com, msk.host.

Networks hosting the most newlyobserved botnet C&Cs, Q2 2021(continued)Newly observed botnet C&Cs per networkRankQ1 2021Q2 2021% 7440%google.comUnited e#52353130%itldc.comUkraine#6-49New Entrynano.lv#713148-63%privacyfirst.sh#8-47New 0-40New Entrybaxet.ruRussia#11-35New Entryipjetable.netFrance#124529-36%#12-29New Entrycloudflare.comNetherlandsLatviaGermanyUnited Statesdigitalocean.com United States#14-28New Entry#1526260%Internet.itRussia#16-25New Entryhostsailor.comU. Arab Emirates#17-22New Entrymicrosoft.comUnited States#18-21New Entry#19-16New Entry#19-16New Entryalibaba-inc.com Chinam247.roRomaniaoffshoreracks.com Panamamivocloud.comMoldova013 Spamhaus Botnet Threat Update Q2–2021306090