Spamhaus Botnet Threat Update: Q2-2019

In this quarter, Botnet command & control (C&C) traffic remains significantly above the monthly averages of 2018, although it would appear that in June some botnet operators have taken a vacation.

Two new credential stealers and a dropper that has been around the block have all made it onto our Top 20 list for malware families associated with botnet C&C listings. When it comes to the most abused registrar, ‘register.com’ has dropped off the Top 20 list, meanwhile, Cloudflare continues to host more botnet C&Cs than any other Internet Service Provider (ISP).

Spotlight: Free DNS provider OpenNIC drops ‘.bit’ zone

In this quarter we’re putting the spotlight on the free DNS provider OpenNIC.

OpenNIC is one of the larger free DNS providers that support the resolution of decentralized top-level domains (dTLDs). In last year’s annual Spamhaus Botnet Threat Report we raised concerns about the increase in the amount of botnet C&C domains that were registered with dTLDs. From an adversary’s perspective, using a dTLD for hosting botnet C&C servers has several advantages:

• These domain names cannot be taken down or suspended when being used for malicious purposes, because there is no governing body associated with a dTLD.
• dTLDs bypass DNS Firewalls/Response Policy Zones (RPZ) that numerous ISPs and businesses use to protect their customers/users from cyber threats.
• Researching malicious activity becomes more challenging as domain name registrations within dTLDs are usually entirely anonymous, with registrant information not being required.

These factors, as previously stated, have led to an increase in the number of new dTLD registrations being used to host botnet C&C servers, in particular, Namecoin’s dTLD ‘.bit.’ Until recently, malware authors were heavily reliant on OpenNIC to resolve their botnet C&C domain names.

In June 2019, the operators of OpenNIC took a vote as to whether they should drop the support for NameCoin’s ‘.bit.’

“Over the past year .bit domains have started being used as malware hubs due to their anonymous nature. Since there is no way to contact the owner of those domains, it creates a backscatter effect and a number of people running public T2 servers have seen domains blocklisted, emails blocked, and shutdown notices from their providers.”

86% of OpenNIC’s volunteers voted in favor of this proposal. On June 25th, 2019, OpenNIC dropped Namecoin’s ‘.bit’ domains from their zones. For malware families that purely relied on OpenNIC to resolve their ‘.bit’ botnet C&C domain names they have been dismantled and infected devices are no longer under the control of the miscreants.

Number of botnet C&Cs observed in 2019

The number of newly detected botnet C&Cs, resulting from fraudulent sign-ups, continues to stay at a very high level in 2019. We are detecting approximately 1,000 new botnet C&Cs per month. The monthly average in 2018 was 519 per month.

The exception to this trend was the month of June, where we saw a noticeable decline in the number of newly detected botnet C&Cs.

We are surmising that this is as a result of the holiday season beginning, with some botnet operators taking vacations. An excellent example of this is the notorious Emotet botnet, which silently disappeared on June 5th, 2019. We doubt that these botnets are gone for good and suspect that they will be likely to return after the holiday season comes to an end in August or September 2019.

Geolocation of botnet C&Cs in Q2 2019

There has been little change in the preferred geolocation of botnet C&C servers in Q2. The number 1 country for botnet C&C hosting remains the United States followed by Russia; however, France has knocked the Netherlands off their number 3 spot, and China has moved nine places up the leader board to number 4.

Malware associated with botnet C&Cs, Q2 2019

There has been no significant change in the threat landscape in Q2 2019 compared to Q1. The dominating malware family, in terms of newly detected botnet C&Cs, is still Lokibot, followed by AZORult. Both are credential stealers sold on hacking and underground forums.

Emotet: This quarter has seen an upswing in activity from Emotet. Initially built as an e-banking Trojan several years ago, in 2019 Emotet is becoming increasingly popular as a dropper. We believe that the botnet is being monetized using Pay-per-Install (PPI). It looks as if various threat actors are customers of Emotet PPI, for example, ‘buying’ infected machines located at small/medium businesses to drop additional malware, such as ransomware ‘Ryuk’ or ‘LockerGogga.’

New credential stealers in town: ‘Amadey’ (February 2019) and ‘Baldr’ (April 2019) are new to the threat landscape. Both are crimeware kits sold as crimeware-as-a-service on hacker and underground forums. Worryingly they have made it into our top 20 charts within just a couple of months. However, they still have to conquer competitors such as KPOTStealer and ArkeiStealer, which are being heavily utilized by miscreants to commit cyber-crime.

Most abused top-level domains, Q2 2019

In total, only five country code top-level domains (ccTLDs) made it into the Top 20 chart in Q2, 2019. All of the remaining ones are general top-level domains (gTLDs).

The leader of our chart remains the same in Q2, as in Q1: the gTLD ‘.com.’

However, ccTLD ‘.UK’, which held the number 2 spot in Q1, is nowhere to be seen in the Top 20 listings this quarter. Instead, they have been superseded with the ccTLD of Russia’ .ru’, who have more than doubled their botnet C&C listings in Q2 compared with Q1.

Another change that is noteworthy is the appearance of the ccTLD of the European Union ‘.eu’. Interestingly ‘.eu’ has had more botnet C&Cs hosted on it in Q2 2019 than the former Soviet Union’s ccTLD ‘.su’.

Most abused domain registrars, Q2 2019

Namecheap: After a short break in Q1, the US-based domain registrar Namecheap is back in number 1 position as the most abused domain registrar. In Q2, Namecheap was responsible for more fraudulent domain registrations than the next six registrars on the Top 20 list put together.

Newcomers: New additions to the charts are Openprovider from the Netherlands (#5), Google from the US (#15) and Crazy Domains from Australia (#20).

Register.com: Great work by register.com, who looks to have improved processes, as they no longer appear on our Top 20 most abused domain registrars in Q2. This is in stark comparison to Q1, where they accounted for 22% of the total number of registered domains used for botnet C&Cs.

Internet Service Providers (ISPs) hosting botnet C&Cs, Q2 2019

Cloudflare: We continue to see cloudflare.com, a US-based CDN provider, being the preferred option to host botnet C&C servers. This trend has been evident since 2018. Sadly, we have seen no attempts from Cloudflare to battle the ongoing abuse of their network for botnet hosting¹ and other hostile infrastructure.

Same threat actor, different ISP: The five ISPs; fos-vpn.org (Seychelles), stajazk.ru (Russia), gerber-edv.net (Bulgaria), anmaxx.net (Russia) and libertas-international.eu (Antigua and Barbuda ) are all operated by the same threat actor trading under different company names to remain under the radar.

Russian ISP prevalence: More than half of the top botnet C&C hosting ISPs are based in Russia. This isn’t particularly surprising given that ISPs operating in Russia are usually out of the reach of western Law Enforcement agencies. In addition to this, Russia lacks sufficient legislation, and political willingness, to fight botnet operations originating from their territory.

Thanks for reading. We'll see you again in October for Q3's update.

Download the Spamhaus 2019 Q2 Botnet Report as PDF

1. While Cloudflare does not directly host any content, it provides services to botnet operators, masking the actual location of the botnet controller and protecting it from DDoS attacks. ↩︎