This quarter, the Spamhaus researchers have observed a 12% reduction in newly observed botnet command and controllers (C&Cs), which is good news. However, it’s not good news for everyone; more than one industry-leading provider is suffering under the weight of active botnet C&Cs on their networks.
Welcome to the Spamhaus Botnet Threat Update Q2 2021.
The Emotet story continues
What is thread hijacking?
This is where miscreants use their victim’s existing email conversations (threads) to spread malicious links or attachments to new victims. An attacker can be far more convincing and fool further victims into clicking on harmful links or downloading files by replying to an existing email thread.
Yes, we know – we’re still discussing Emotet, despite its takedown in January. This is because the Emotet narrative didn’t end the moment it was taken down. Far from it.
As a result of the way Emotet proliferated, through thread hijacking, millions of email accounts were left compromised and open to further exploitation by other malware and ransomware.
Spamhaus has spent the past quarter working with the FBI to assist with remediation efforts and reach out to those affected. To give you an understanding of the scale of the operation, here are some numbers:
- 1.3 million compromised email accounts
- 22,000 unique domains
- 3,000 networks
Our team has been busy contacting the relevant abuse desks, trust and safety departments, and end-users, providing them with remediation data and instructions on how to safeguard these compromised accounts. We’re delighted to report that over 60% of those 1.3 million accounts have now been secured. It goes to show that we all have a role to play in making the internet a safer place.
Number of botnet C&Cs observed, Q2 2021
Here’s an overview of the number of newly observed botnet Command & Control servers (C&Cs) in Q2 2021. Spamhaus Malware Labs identified 1,462 botnet C&Cs compared to 1,660 in Q1 2021. This was a decrease of 12%. The monthly average dropped from 553 per month in Q1 to 487 botnet C&Cs per month in Q2.
Geolocation of botnet C&Cs, Q2 2021
We saw multiple changes in the geo-locations that cybercriminals used to set up new botnet C&C servers, particularly at the lower end of our Top 20 listings, where there was a raft of new entries.
Decreases across Latin America
There was a noticeable decrease in Latin American countries hosting botnet C&Cs, with Argentina and Colombia dropping off the Top 20 list and Brazil seeing a 40% decrease. The only exception to this was Panama which was a new entry at #13.
Continued increases across Europe
Once again, we witnessed an increase in the number of European countries entering the Top 20. This included the Czech Republic, Poland, and Finland. Meanwhile, Germany, France, Latvia, and United Kingdom all saw increases in botnet C&Cs.
Malware associated with botnet C&Cs,Q2 2021
Let’s start with the good news. After the laudable Emotet botnet takedown in Q1 2021, we are pleased to report that no activity from Emotet has been observed.
Dropper popularity increasing
In Q2 there was a shift away from credential stealers and remote access tools (RATs) to droppers.
Raccoon rapidly reaches #1
Raccoon only made its first appearance in our Top 20 last quarter at #8. In Q2, it’s flown up the charts to take pole position.
Credential stealers for sale
Not only is the aforementioned credential stealer, Raccoon, available for purchase on the dark web, but so are the likes of RedLine and Oski, which were new entries to our charts this quarter. Given the ease of access, it comes as no surprise to see the popularity of these malware growing.
Most abused top-level domains, Q2 2021
For Q2 2021, the gTLD .com once again made it at the top of our ranking. Moreover, the number of newly registered botnet C&C domains observed on .com increased by 166%, from 1,549 to 4,113!
With a vast 114% upsurge this quarter, it comes as no surprise that gTLD .xyz has replaced gTLD .top in the #2 spot.
Country code TLDs
Only two new ccTLDs were new to the Top 20 this quarter, with .br entering at #5 and .cn at #12. Meanwhile, three ccTLDs improved their reputation and departed the list; .us, .de & .la
Most abused domain registrars, Q2 2021
After many years with no change at the top of our registrar reputation rankings, we finally have some movement!
We saw an enormous 594% increase of newly registered botnet C&C domains at the US domain registrar NameSilo, knocking Namecheap off their #1 ranking.
This was quite a feat considering that NameCheap saw a 52% increase in newly registered botnet C&C domains. These are huge numbers!
Germany and China
It was not only US-based registrars who saw significant increases in Q2. The two German-based domain registrars, Key Systems (56%) and 1API (254%), also experienced growth in the number of botnet domains registered through their services, as did almost all the Chinese registrars listed below, including eName Technology who entered our Top 20 at #3.
Networks hosting the most newly observed botnet C&Cs, Q2 2021
There is always lots of change in those hosting the most newly observed botnet C&Cs. This quarter was no exception.
Bulletproof hosting operation
In Q2, one of the most extensive bulletproof hosting operations moved from Amazon to DigitalOcean. As a result, the amount of newly observed botnet C&Cs at Amazon rapidly decreased. Conversely, there was a sudden increase in new botnet C&Cs hosted at DigitalOcean.
We have seen microsoft.com (US) enter the Top 20. We have observed them hosting a significant amountof Vjw0rm and BitRAT botnet C&C infrastructure.
Networks hosting the most active botnet C&Cs, Q2 2021
Finally, let’s take a look at the networks that hosted a large number of active botnet C&Cs in Q2 2021. Hosting providers who appear in this ranking either have an abuse problem or do not take the appropriate action when they receive abuse reports.
This is a bulletproof hosting company purporting to be located in the Seychelles. In reality, they more than likely operate out of Russia.
Microsoft.com and google.com
It is evident that Microsoft is struggling with the amount of abuse generated on its Azure cloud platform. Likewise, google.com is equally besieged with abuse reports.
Well done to the departures!
We want to acknowledge all those who have departed from this list: Mail.ru, DigitalOcean, Eurobyte and Telstra – it’s good to see the number of active botnet C&Cs reducing on your network. Nice work!
That’s all for now. Stay safe and see you in October!
Download the Spamhaus Botnet Report 2021 Q2 as PDF