Subscribe to RSS News Feed
About Spamhaus  |  Press Office  |  FAQs   

Spamhaus Botnet Threat Update: Q2-2019

2019-07-15 11:50:38 UTC   |   by Spamhaus Malware Labs   |   Category:  malware, cybercrime, botnets
Recent News Articles

Enable badness and the stats will speak for themselves

MTA developers: allow use of domain DNSBLs at the SMTP level

Spamhaus Botnet Threat Update: Q2-2019

Spamhaus Botnet Threat Update: Q1-2019

Emotet adds a further layer of camouflage

Block 99.4% of spam using only Spamhaus’s blocklists and SpamAssassin

How to Halt the Hijackers

Network hijacking - the low down


Older News Articles:
Spamhaus News INDEX

In this quarter, Botnet command & control (C&C) traffic remains significantly above the monthly averages of 2018, although it would appear that in June some botnet operators have taken a vacation.

Two new credential stealers and a dropper that has been around the block have all made it onto our Top 20 list for malware families associated with botnet C&C listings. When it comes to the most abused registrar, ‘register.com’ has dropped off the Top 20 list, meanwhile, Cloudflare continues to host more botnet C&Cs than any other Internet Service Provider (ISP).

Spotlight: Free DNS provider OpenNIC drops ‘.bit’ zone

In this quarter we’re putting the spotlight on the free DNS provider OpenNIC.

OpenNIC is one of the larger free DNS providers that support the resolution of decentralized top-level domains (dTLDs). In last year’s annual Spamhaus Botnet Threat Report we raised concerns about the increase in the amount of botnet C&C domains that were registered with dTLDs. From an adversary’s perspective, using a dTLD for hosting botnet C&C servers has several advantages:

  • These domain names cannot be taken down or suspended when being used for malicious purposes, because there is no governing body associated with a dTLD.
  • dTLDs bypass DNS Firewalls/Response Policy Zones (RPZ) that numerous ISPs and businesses use to protect their customers/users from cyber threats.
  • Researching malicious activity becomes more challenging as domain name registrations within dTLDs are usually entirely anonymous, with registrant information not being required.

These factors, as previously stated, have led to an increase in the number of new dTLD registrations being used to host botnet C&C servers, in particular, Namecoin’s dTLD ‘.bit.’ Until recently, malware authors were heavily reliant on OpenNIC to resolve their botnet C&C domain names.

In June 2019, the operators of OpenNIC took a vote as to whether they should drop the support for NameCoin’s ‘.bit.’

“Over the past year .bit domains have started being used as malware hubs due to their anonymous nature. Since there is no way to contact the owner of those domains, it creates a backscatter effect and a number of people running public T2 servers have seen domains blacklisted, emails blocked, and shutdown notices from their providers.”

86% of OpenNIC’s volunteers voted in favor of this proposal. On June 25th, 2019, OpenNIC dropped Namecoin’s ‘.bit’ domains from their zones. For malware families that purely relied on OpenNIC to resolve their ‘.bit’ botnet C&C domain names they have been dismantled and infected devices are no longer under the control of the miscreants.

Number of botnet C&Cs observed in 2019

The number of newly detected botnet C&Cs, resulting from fraudulent sign-ups, continues to stay at a very high level in 2019. We are detecting approximately 1,000 new botnet C&Cs per month. The monthly average in 2018 was 519 per month.

The exception to this trend was the month of June, where we saw a noticeable decline in the number of newly detected botnet C&Cs.

We are surmising that this is as a result of the holiday season beginning, with some botnet operators taking vacations. An excellent example of this is the notorious Emotet botnet, which silently disappeared on June 5th, 2019. We doubt that these botnets are gone for good and suspect that they will be likely to return after the holiday season comes to an end in August or September 2019.

Botnet controller listings per month

Geolocation of botnet C&Cs in Q2 2019

There has been little change in the preferred geolocation of botnet C&C servers in Q2. The number 1 country for botnet C&C hosting remains the United States followed by Russia; however, France has knocked the Netherlands off their number 3 spot, and China has moved nine places up the leader board to number 4.

Geolocation of botnet C&Cs map
Geolocation of botnet C&Cs table

Malware associated with botnet C&Cs, Q2 2019

There has been no significant change in the threat landscape in Q2 2019 compared to Q1. The dominating malware family, in terms of newly detected botnet C&Cs, is still Lokibot, followed by AZORult. Both are credential stealers sold on hacking and underground forums.

Emotet: This quarter has seen an upswing in activity from Emotet. Initially built as an e-banking Trojan several years ago, in 2019 Emotet is becoming increasingly popular as a dropper. We believe that the botnet is being monetized using Pay-per-Install (PPI). It looks as if various threat actors are customers of Emotet PPI, for example, ‘buying’ infected machines located at small/medium businesses to drop additional malware, such as ransomware ‘Ryuk’ or ‘LockerGogga.’

New credential stealers in town:Amadey’ (February 2019) and ‘Baldr’ (April 2019) are new to the threat landscape. Both are crimeware kits sold as crimeware-as-a-service on hacker and underground forums. Worryingly they have made it into our top 20 charts within just a couple of months. However, they still have to conquer competitors such as KPOTStealer and ArkeiStealer, which are being heavily utilized by miscreants to commit cyber-crime.

Top malware families associated with C&C listings Malware familiy list

Most abused top-level domains, Q2 2019

In total, only five country code top-level domains (ccTLDs) made it into the Top 20 chart in Q2, 2019. All of the remaining ones are general top-level domains (gTLDs).

The leader of our chart remains the same in Q2, as in Q1: the gTLD ‘.com.’

However, ccTLD ‘.UK’, which held the number 2 spot in Q1, is nowhere to be seen in the Top 20 listings this quarter. Instead, they have been superseded with the ccTLD of Russia’ .ru’, who have more than doubled their botnet C&C listings in Q2 compared with Q1.

Another change that is noteworthy is the appearance of the ccTLD of the European Union ‘.eu’. Interestingly ‘.eu’ has had more botnet C&Cs hosted on it in Q2 2019 than the former Soviet Union’s ccTLD ‘.su’.

Top abused TLDs Top abused TLDs

Most abused domain registrars, Q2 2019

Namecheap: After a short break in Q1, the US-based domain registrar Namecheap is back in number 1 position as the most abused domain registrar. In Q2, Namecheap was responsible for more fraudulent domain registrations than the next six registrars on the Top 20 list put together.

Newcomers: New additions to the charts are Openprovider from the Netherlands (#5), Google from the US (#15) and Crazy Domains from Australia (#20).

Register.com: Great work by register.com, who looks to have improved processes, as they no longer appear on our Top 20 most abused domain registrars in Q2. This is in stark comparison to Q1, where they accounted for 22% of the total number of registered domains used for botnet C&Cs.

Most abused domain registrars – number of domains - graph Most abused domain registrars – number of domains - table

Internet Service Providers (ISPs) hosting botnet C&Cs, Q2 2019

Cloudflare: We continue to see cloudflare.com, a US-based CDN provider, being the preferred option to host botnet C&C servers. This trend has been evident since 2018. Sadly, we have seen no attempts from Cloudflare to battle the ongoing abuse of their network for botnet hosting1 and other hostile infrastructure.

Same threat actor, different ISP: The five ISPs; fos-vpn.org (Seychelles), stajazk.ru (Russia), gerber-edv.net (Bulgaria), anmaxx.net (Russia) and libertas-international.eu (Antigua and Barbuda ) are all operated by the same threat actor trading under different company names to remain under the radar.

Russian ISP prevalence: More than half of the top botnet C&C hosting ISPs are based in Russia. This isn’t particularly surprising given that ISPs operating in Russia are usually out of the reach of western Law Enforcement agencies. In addition to this, Russia lacks sufficient legislation, and political willingness, to fight botnet operations originating from their territory.

Total botnet C&C hosting numbers by ISP Total botnet C&C hosting numbers by ISP

Thanks for reading. We'll see you again in October for Q3's update.

Download the Spamhaus 2019 Q2 Botnet Report as PDF


  1. While Cloudflare does not directly host any content, it provides services to botnet operators, masking the actual location of the botnet controller and protecting it from DDoS attacks. ↩︎


Spamhaus Information

Press Office
Spamhaus News Index
Spamhaus in the media
About Spamhaus
Spamhaus Official Statements
Article Information

Permanent link to this news article:
Spamhaus Botnet Threat Update: Q2-2019
http://www.spamhaus.org/news/article/785/spamhaus-botnet-threat-update-q2-2019

Subscribe to RSS News Feed
Spamhaus News Quotes

Permission to quote from or reproduce Spamhaus News articles is granted automatically providing you state the source as Spamhaus and link to the news record.
© 1998-2019 The Spamhaus Project Ltd. All rights reserved.
Legal  |  Privacy