Q3 has seen a massive 82% rise in the number of new botnet command and controllers (C&Cs) identified by our research team. They have observed an explosion in the use of backdoor malware with nefarious operators hiding behind FastFlux. In turn, this has caused several new countries and service providers to be listed in our Top 20 charts. Welcome to the Spamhaus Botnet Threat Update Q3 2021.
FastFlux emerging again
What is FastFlux?
FastFlux is a technique used by phishers, malware authors, and botnet operators to hide the actual location of their infrastructure behind a network of compromised hosts that are acting as a proxy, forwarding the malicious traffic to the real backend.
After analyzing this quarter’s statistics, it is evident that FastFlux is once again rising in popularity. Here’s a quick FastFlux refresher, including a deeper dive into how cybercriminals use it to make their infrastructure resilient against takedowns.
What makes FastFl to cybercriminals?
All FastFlux networks that are currently in business can be rented as a service on the dark web. This makes life easy for botnet operators. All they have to do is register domains required for the botnet C&Cs and point them to the FastFlux operator’s service. FastFlux takes care of the rest, ensuring that the A records rapidly change.
Here’s an example of a FluBot botnet C&C domain hosted on a FastFlux botnet:
;; QUESTION SECTION: ;gurbngbcxheshsj.ru. IN A ;; ANSWER SECTION: Domain TTL RecordType IP Address gurbngbcxheshsj.ru. 150 IN A 220.127.116.11 gurbngbcxheshsj.ru. 150 IN A 18.104.22.168 gurbngbcxheshsj.ru. 150 IN A 22.214.171.124 gurbngbcxheshsj.ru. 150 IN A 126.96.36.199 gurbngbcxheshsj.ru. 150 IN A 188.8.131.52 gurbngbcxheshsj.ru. 150 IN A 184.108.40.206 gurbngbcxheshsj.ru. 150 IN A 220.127.116.11 gurbngbcxheshsj.ru. 150 IN A 18.104.22.168 gurbngbcxheshsj.ru. 150 IN A 22.214.171.124 gurbngbcxheshsj.ru. 150 IN A 126.96.36.199
As you can see, the botnet C&C domain uses ten concurrent A records with a time to live (TTL) of only 150 seconds. Monitoring these A records reveals that the underlying FastFlux botnet consists of 100 to 150 active FastFlux nodes per day.
Generally, these nodes are compromised devices, commonly Customer Premise Equipment (CPE), insecurely configured (e.g., running vulnerable software or using standard login credentials), and accessible directly from the internet.
These kinds of devices are a soft target for cybercriminals. They simply need to conduct internet-wide scans to discover these vulnerable devices and compromise them. This whole process can all be automated, making it quick, easy, and effective.
Operators of FastFlux botnets choose the geolocation of their target devices they use for FastFlux hosting carefully. As you will notice when reading through this report, many FastFlux C&C nodes are hosted in places that are relatively well “digitized,” i.e., have good internet connections but are not as advanced along the maturity curve in terms of cybersecurity.
Latin America is commonly a target, e.g., Brazil, Chile, Argentina, Uruguay, and Asian countries such as Korea. The newcomers to the geolocation statistics in this update reflect this.
Number of botnet C&Cs observed, Q3 2021
In Q3 2021, Spamhaus Malware Labs identified 2,656 botnet C&Cs compared to 1,462 in Q2 2021. This was an 82% increase quarter on quarter! The monthly average increased from 487 per month in Q2 to 885 botnet C&Cs per month in Q3.
Geolocation of botnet C&Cs, Q3 2021
Given FastFlux’s influence over the past quarter, it isn’t surprising that there’s a clear pattern to the newcomers entering the chart for Q3 2021. Many of the countries joining the charts were responsible for hosting a large percentage of TeamBot, and FluBot botnet C&C servers – utilizing Fastflux – and fit the profile of countries with extensive internet coverage but less security-focused.
Significant increases in Russia
The number of botnet C&Cs located in Russia has dramatically risen. This is the second increase quarter on quarter that Russia has experienced:
- Q1 to Q2 – 19% increase
- Q2 to Q3 – 64% increase
Therefore, it comes as no surprise that in Q3 Russia overtook the United States for the #1 spot.
Continued increases across Europe
The trend that started in Q2 continued in Q3. Once again, there was an uptick in the number of botnet C&C servers hosted in various European countries, including the Netherlands (+63%), Germany (+45%), France (+34%), and Switzerland (+34%).
Malware associated with botnet C&Cs, Q3 2021
Here are the top malware families associated with newly observed botnet C&Cs in Q3, 2021.
TeamBot and FluBot emerging
Have you ever heard of TeamBot? Probably not. While it is neither a new nor severe threat, TeamBot sits at the top of the charts with FluBot, both backdoors.
Our threat hunters believe that TeamBot and FluBot are using the same FastFlux infrastructure, rotating the same botnet C&C IP addresses every few minutes, hence the shared listing below.
This quarter, there was an explosion in backdoor malware, making it the most prevalent type of malware associated with botnet C&Cs in Q3 2021.
RedLine wins, Raccoon loses
In 2021, we’ve been observing a battle for pole position between RedLine and Raccoon, both credential stealers, available for sale on the dark web. While we saw a huge increase (571%) of Raccoon botnet C&C servers in Q2 2021, RedLine malware experienced a 71% increase in Q3 2021, displacing Raccoon from its top spot.
IcedID has been relatively inactivate this year, making a brief appearance at #18 in Q2 before disappearing again this quarter. The reason behind this is unknown. However, our researchers don’t believe its silence will continue indefinitely. IcedID is one of the Trojans available to ransomware groups for purchase on the dark web.
These Trojans sell access to corporate networks – a very lucrative business.
Malware type comparisons between Q2 and Q3 2021
Most abused top-level domains, Q3 2021
No changes at the top of the chart
In Q3, .com and .xyz continued to stay at the top of our ranking. The situation deteriorated for these two TLDs, particularly .com, which experienced a 90% increase. We hope that VeriSign, the owner of this TLD, will take all necessary steps to improve this situation and increase their TLD’s reputation.
Three new TLDs
Two new gTLDs and one ccTLD joined our Top 20: .club, .co and .monster. All have seen a significant increase in the number of new botnet C&C domains registered through their service.
Most abused domain registrars, Q3 2021
We observed significant increases across most of the domain registrars listed in our Top 20. The United States is home to the largest percentage of domain registrars; however, their share has dropped quarter on quarter, while China, the United Kingdom, and Russia have increased.
In Q2 you saw Arsys, now you don’t
A nod of approval to Arsys, who was a new entry at #5 in Q2. They appear to have taken positive steps to ensure their TLD remains as clean as possible and dropped off the Top 20 in Q3, along with HiChina, 1API, Name.com, and 55hl.com. Excellent work to all these registrars.
In Q3, we saw the biggest increases in newly registered botnet C&C domains at CentralNic (+488%), Tucows (+266%), RegRU (+252%), West263.com (+168%), and Network Solutions (+163%).
The vast majority of fraudulent domain name registrations originate from poor resellers who have inappropriate or non-existent customer vetting in place.
Registrars can struggle to penalize these dirty resellers for many reasons, including poorly written Terms of Services (ToS). However, other matters can also
come into play, such as a vested financial interest or a fundamental lack of motivation to take responsibility for these issues.
We hope that these registrars will improve their reputation quickly by implementing stricter measures on their resellers to ensure they strive to fight against the registration of fraudulent domain names.
Location of Most Abused Domain Registrars
Networks hosting the most newly observed botnet C&Cs, Q2 2021
As usual, there were many changes in the networks hosting newly observed botnet C&Cs. Notably, there was an influx of networks hosting FastFlux botnet C&Cs, used by cybercriminals to host backdoor malware.
Does this list reflect ho dealt with at networks?
While this Top 20 listing illustrates that there may be an issue with customer vetting processes, it doesn’t reflect on the speed abuse desks deal with reported issues. See “Networks hosting the most active botnet C&Cs” to view networks where abuse isn’t dealt with in a timely manner.
We have seen a 69% increase in the number of new botnet C&C servers installed at the Dutch hosting provider serverion.com. Our researchers believe that this increase is predominantly due to their downstream customer des.capital, which tends to attract botnet operators.
Making positive changes
In last quarter’s update, we reported that a botnet hosting operation had moved from Amazon to DigitalOcean, causing the latter’s listings to rocket. We want to congratulate DigitalOcean for dropping off our Top 20 list in Q3 2021, along with other networks, including Google, who were at #2, HostSailor, Microsoft, M247, and Off Shore Racks.
Networks hosting the most active botnet C&Cs, Q3 2021
Finally, let’s take a look at the networks that hosted a large number of active botnet C&Cs in Q3 2021. Hosting providers who appear in this ranking either have an abuse problem or do not take the appropriate action when receiving abuse reports.
An increase in botnet C&C abuse
Sadly, the situation in terms of active botnet C&C servers deteriorated for many ISPs who were on our Top 20 in Q2. Ipjetable.net (FR), microsoft.com (US), vietserver.vn (VN), and openvpn (SE) all have one thing in common: Instead of taking appropriate measures against the abuse on their infrastructure, the number of active botnet C&C servers increased in these networks.
uninet.net.mx & stc.com.sa
These two ISPs are new to our Top 20 this quarter and have taken #1 and #2 spots due to the vast number of FastFlux bots hosted on their networks.
In fact, the majority of the newcomers to this chart are due to hosting FastFlux bots on their networks and not responding quickly to abuse reports. All these companies are providing a resilient botnet C&C infrastructure for botnet operators.
That’s all for now. Stay safe and see you in January!
Download the Spamhaus Botnet Report 2021 Q3 as PDF