Botnet Threat Update

Q2–2019

In this quarter, Botnet command & control (C&C) traffic remains

significantly above the monthly averages of 2018, although it would
appear that in June some botnet operators have taken a vacation.

Two new credential stealers and a dropper that has been around
the block have all made it onto our Top 20 list for malware families
associated with botnet C&C listings. When it comes to the most
abused registrar, ‘register.com’ has dropped off the Top 20 list,
meanwhile, Cloudflare continues to host more botnet C&Cs than
any other Internet Service Provider (ISP).
2  |   B OT N E T T H R E AT UPDAT E Q2 –20 19

Spotlight
Free DNS provider OpenNIC drops ‘.bit’ zone
Decentralized top-level domains
(dTLDs)
In this quarter we’re putting the spotlight on the free DNS These are independent top-level domains
provider OpenNIC. that are not under the control of ICANN.
Unlike official TLDs like ‘.com’ or ‘.net’,
OpenNIC is one of the larger free DNS providers that support the resolution dTLDs cannot be resolved through the
of decentralized top-level domains (dTLDs). In last year’s annual Spamhaus public DNS infrastructure. A user or an
Botnet Threat Report 1 we raised concerns about the increase in the amount adversary that wants to resolve a domain
of botnet C&C domains that were registered with dTLDs. name registered within a dTLD must use
a special DNS server that is configured
From an adversary’s perspective, using a dTLD for hosting botnet C&C appropriately to resolve dTLDs.
servers has several advantages:
"" These domain names cannot be taken down or suspended when being
used for malicious purposes, because there is no governing body
associated with a dTLD.
"" dTLDs bypass DNS Firewalls/Response Policy Zones (RPZ) that
numerous ISPs and businesses use to protect their customers/users
from cyber threats.
"" Researching malicious activity becomes more challenging as domain
name registrations within dTLDs are usually entirely anonymous, with
registrant information not being required.
These factors, as previously stated, have led to an increase in the number
of new dTLD registrations being used to host botnet C&C servers, in
particular, Namecoin’s dTLD ‘.bit.’ Until recently, malware authors were
heavily reliant on OpenNIC to resolve their botnet C&C domain names.
In June 2019, the operator of OpenNIC took a vote as to whether they
should drop the support for NameCoin’s ‘.bit.’2
“Over the past year .bit domains have started being used as malware hubs
due to their anonymous nature. Since there is no way to contact the owner
of those domains, it creates a backscatter effect and a number of people
running public T2 servers have seen domains blacklisted, emails blocked,
and shutdown notices from their providers.”
86% of OpenNIC’s volunteers voted in favor of this proposal. On June 25th,
2019, OpenNIC dropped Namecoin’s ‘.bit’ domains from their zones. For
malware families that purely relied on OpenNIC to resolve their ‘.bit’ botnet
C&C domain names they have been dismantled and infected devices are no
longer under the control of the miscreants.

  https://spamhaus-cdn.s3.amazonaws.com/uploads/2019/02/Spamhaus-Botnet-Threat-Report-2019-1.pdf
1

  https://wiki.opennic.org/votings/drop_namecoin
2
3  |   B OT N E T T H R E AT UPDAT E Q2 –20 19

Number of botnet C&Cs

observed in 2019 What is a ‘fraudulent sign-up’?
The number of newly detected botnet C&Cs, resulting from fraudulent This is where a miscreant is using a fake,
sign-ups, continues to stay at a very high level in 2019. We are detecting or stolen identity, to sign-up for a service,
approximately 1,000 new botnet C&Cs per month. The monthly average in usually a Virtual Private Server (VPS) or a
2018 was 519 per month. dedicated server, for the sole purpose of
using it for hosting a botnet C&C.
The exception to this trend was the month of June, where we saw a
noticeable decline in the number of newly detected botnet C&Cs.
We are surmising that this is as a result of the holiday season beginning,
with some botnet operators taking vacations. An excellent example of this
is the notorious Emotet botnet, which silently disappeared on June 5th,
2019. We doubt that these botnets are gone for good and suspect that they
will be likely to return after the holiday season comes to an end in August
or September 2019.

1,500

1,200

900
1,103
600

1,297
955
1,179

Jan
1,146

Feb

Mar 826
Apr

May

Jun

Botnet controller listings per month

4   |   B OT N E T T H R E AT UPDAT E Q2 –20 19

Geolocation of botnet C&Cs

in Q2 2019
There has been little change in the preferred geolocation of botnet C&C
servers in Q2. The number 1 country for botnet C&C hosting remains
the United States followed by Russia; however, France has knocked the
Netherlands off their number 3 spot, and China has moved nine places up
the leader board to number 4.

2
8
10 6 9
5
15
3 12 16
19
1 7 13
18 4
20
17

14

11

Rank Botnet controllers Country Rank Botnet controllers Country

1 814 USA 11 30 Argentina
2 192 Russia 12 29 Switzerland
3 160 France 13 27 Turkey
4 129 China 14 27 Colombia
5 119 Germany 15 26 Ukraine
6 95 Luxembourg 16 16 Romania
7 79 Greece 17 15 Mexico
8 73 Canada 18 13 Tunisia
9 66 Netherlands 19 12 YU  (Formerly Yugoslavia)
10 55 United Kingdom 20 9 Pakistan
5  |   B OT N E T T H R E AT UPDAT E Q2 –20 19

Malware associated with

botnet C&Cs, Q2 2019 AZORult
There has been no significant change in the threat landscape in Q2 2019 AZORult is a credential stealer ‘crimeware
compared to Q1. The dominating malware family, in terms of newly detected kit’ sold on underground hacker sites. It
botnet C&Cs, is still Lokibot, followed by AZORult. Both are credential not only attempts to harvest and exfiltrate
stealers sold on hacking and underground forums. credentials from various applications such
as web browsers but additionally tries to
Emotet: This quarter has seen an upswing in activity from Emotet. Initially steal address books from email clients.
built as an e-banking Trojan several years ago, in 2019 Emotet is becoming
increasingly popular as a dropper. We believe that the botnet is being
monetized using Pay-per-Install (PPI). It looks as if various threat actors
are customers of Emotet PPI, for example, ‘buying’ infected machines
located at small/medium businesses to drop additional malware, such as
ransomware ‘Ryuk’ or ‘LockerGogga.’
New credential stealers in town: ‘Amadey’3 (February 2019) and ‘Baldr’4
(April 2019) are new to the threat landscape. Both are crimeware kits sold as
crimeware-as-a-service on hacker and underground forums. Worryingly they
have made it into our top 20 charts within just a couple of months. However,
they still have to conquer competitors such as KPOTStealer and ArkeiStealer,
which are being heavily utilized by miscreants to commit cyber crime.

Rank Malware Note

Malware families associated with botnet C&C listings Q2 2019 1 Lokibot Credential Stealer
2 AZORult Credential Stealer
1,500
3 NanoCore Remote Access Tool (RAT)
4 Emotet Dropper/Backdoor
77
2
1,

5 Pony Dropper/Credential Stealer

1,200 6 Gozi e-banking Trojan
7 RemcosRAT Remote Access Tool (RAT)
8 KPOTStealer Credential Stealer
9 NetWire Remote Access Tool (RAT)
900
10 njrat Remote Access Tool (RAT)
1
77

11 TrickBot e-banking Trojan/Dropper

12 Adwind Remote Access Tool (RAT)
600 13 ArkeiStealer Credential Stealer
14 Baldr Credential Stealer
15 Amadey Credential Stealer
8
32

300 16 PredatorStealer Credential Stealer

3
25

17 CoinMiner generic crypto miners

5
17

0
7
2
15
13
13

18 RevengeRAT Remote Access Tool

84
70
64
53

19 IcedID e-banking Trojan

40
38
27
25
23
22
18
16

0
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 20 Smoke Loader Dropper/Backdoor

  https://krabsonsecurity.com/2019/02/13/analyzing-amadey-a-simple-native-malware/
3

4
  https://blog.malwarebytes.com/threat-analysis/2019/04/say-hello-baldr-new-stealer-market/
6  |   B OT N E T T H R E AT UPDAT E Q2 –20 19

Most abused top-level domains,

Q2 2019 What domains do these
In total, only five country code top-level domains (ccTLDs) made it into the statistics include?
Top 20 chart in Q2, 2019. All of the remaining ones are general top-level Remember that we only count domain names
domains (gTLDs). that have been registered fraudulently for the
sole purpose of hosting a botnet C&C. These
The leader of our chart remains the same in Q2, as in Q1: the gTLD ‘.com.’ statistics do not include botnet C&Cs hosted
However, ccTLD ‘.UK’, which held the number 2 spot in Q1, is nowhere on compromised websites or domain names.
to be seen in the Top 20 listings this quarter. Instead, they have been
superseded with the ccTLD of Russia’ .ru’, who have more than doubled
their botnet C&C listings in Q2 compared with Q1.
Another change that is noteworthy is the appearance of the ccTLD of the
European Union ‘.eu’. Interestingly ‘.eu’ has had more botnet C&Cs hosted
on it in Q2 2019 than the former Soviet Union’s ccTLD ‘.su’.

Top abused TLDs – number of domains

2,000 Rank TLD Note

1 com gTLD
2 ru ccTLD of Russia
8
77

3 cm ccTLD of Camaroon
1,

4 net gTLD
1,500 5 info gTLD
6 org gTLD
7 pw ccTLD of Palau
8 xyz gTLD
9 top gTLD
1,000 10 tk originally ccTLD, now effectively gTLD
11 eu ccTLD of the European Union
12 ml originally ccTLD, now effectively gTLD
1
73

13 ga originally ccTLD, now effectively gTLD

70

5
67

3
61

14 cf originally ccTLD, now effectively gTLD

500 15 gq originally ccTLD, now effectively gTLD
4
40

16 icu gTLD
17 site gTLD
4
24

4
8
21

8
19
17

18
1

name gTLD
6
15

8
14

8
12
11
89
72
66

19 in ccTLD of India
59
63

57

0
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 20 club gTLD
7  |   B OT N E T T H R E AT UPDAT E Q2 –20 19

Most abused domain registrars,

Q2 2019 Poor processes leave operators
Namecheap: After a short break in Q1, the US-based domain registrar open to abuse
Namecheap is back in number 1 position as the most abused domain To register a domain name, a botnet
registrar. In Q2, Namecheap was responsible for more fraudulent domain operator must choose a domain registrar.
registrations than the next six registrars on the Top 20 list put together. Domain registrars play a crucial role in
fighting abuse in the domain landscape:
Newcomers: New additions to the charts are Openprovider from the They not only vet the domain registrant
Netherlands (#5), Google from the US (#15) and Crazy Domains from (customer) but also have the ability to
Australia (#20) suspend or delete domain names.
Unfortunately, many domain registrars do
Register.com: Great work by register.com, who looks to have improved not have a robust customer vetting process,
processes, as they no longer appear on our Top 20 most abused domain leaving their service open to abuse.
registrars in Q2. This is in stark comparison to Q1, where they accounted
for 22% of the total number of registered domains used for botnet C&Cs.

Most abused domain registrars – number of domains Rank Registrar Country

1 Namecheap United States
2,000
2 RegRU Russia
3 NameSilo United States
4 PDR India
5 Openprovider Netherlands
1
50
1,

1,500 6 GMO Japan

7 RU-Center Russia
8 WebNic.cc Singapore
9 Xin Net China
10 R01 Russia
1,000
11 Alibaba/HiChina/net.cn China
12 NameBright/DropCatch United States
13 Hostinger Lithuania
14 Eranet International China

500 15 Google United States

9
40

16 west263.com China
17 CentralNic United Kingdom
3
26

6
8
20
18

5
1

18 OnlineNIC United States

5
16
16
14

1
5
2
11
10
10
99
74

19 Tucows United States

64
63
59

52
53

47
43

0
20 Crazy Domains Australia
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
8  |   B OT N E T T H R E AT UPDAT E Q2 –20 19

Internet Service Providers (ISPs)

hosting botnet C&Cs, Q2 2019 Cloudflare
Cloudflare: We continue to see cloudflare.com, a US-based CDN provider, While Cloudflare does not directly host
being the preferred option to host botnet C&C servers. This trend has been any content, it provides services to botnet
evident since 2018. Sadly, we have seen no attempts from Cloudflare to operators, masking the actual location of
battle the ongoing abuse of their network for botnet hosting and other the botnet controller and protecting it from
DDoS attacks.
hostile infrastructure.
Same threat actor, different ISP: The five ISPs; fos-vpn.org (Seychelles),
stajazk.ru (Russia), gerber-edv.net (Bulgaria), anmaxx.net (Russia) and
libertas-international.eu (Antigua and Barbuda ) are all operated by the same
threat actor trading under different company names to remain under the radar.
Russian ISP prevalence: More than half of the top botnet C&C hosting
ISPs are based in Russia. This isn’t particularly surprising given that ISPs
operating in Russia are usually out of the reach of western Law Enforcement
agencies. In addition to this, Russia lacks sufficient legislation, and political
willingness, to fight botnet operations originating from their territory.
Rank Network Country
1 cloudflare.com United States
2 simplecloud.ru Russia

Total botnet C&C hosting numbers by ISP 3 fos-vpn.org Seychelles

4 ovh.net France
500 5 mtw.ru Russia
3
48

6 alibaba-inc.com China
7 ispserver.com Russia
400 8 timeweb.ru Russia
9 itos.biz Russia
10 spacenet.ru Russia
300 11 dhub.ru Russia
12 stajazk.ru Russia
13 m247.ro Romania
3
20

200 14 melbicom.net Russia

1

15 marosnet.ru Russia
15

6
13

16 gerber-edv.net Bulgaria
2
0
11
11

100
94

17 anmaxx.net Russia
83
76
67
61
58
57
55
53

18 libertas-international.eu Antigua & Barbuda

51
50
47
46
45

19 dataclub.biz United Kingdom

0
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 20 leaseweb.com Netherlands

Thanks for reading. We’ll see you again in October for Q3’s update.

www.spamhaus.org @spamhaus