News

Malware distributors substantially increased their activity in 2019

In 2019 botnet-operators’ activity significantly grew as they launched 1,1 thousand of C&C servers a month.

These are results of quarter research of analysts from Spamhaus Malware Labs.

Most often malware networks are used for sending modular spyware Trojans and remote access tools (RAT).

As say specialists, in the I quarter 2019 more than 60% of all malware activity consisted spyware Trojan Lokibot (1496 servers) and multifunctional malware AZORult (1155). Modular Trojan Pony, which closes the top three, almost 4-5 times behind the leaders.

“When we look at the number of newly detected botnet Command & Controllers (C&C), as a result of fraudulent sign-ups, it is evident that the upward trend detected in 2018 is continuing into 2019”, — noted in Spamhaus Malware Labs.

If in January 2018 experts found 276 new servers, in December their number surged to 762. Average monthly results was 530 C&C servers.

In the first quarter 2019 this figured skyrocketed more than twice and reached 1,1 thousand of C&C monthly. Only in March specialists counted about 1,3 thousands of new servers.

Number of botnet C&Cs observed in 2019

Their main part is traditionally located in *.com and *.uk zones. Analysts also noted growth of sites’ share under domains *.ug (Uganda) и *.ng (Nigeria).

In February every third resource in *.ug worked on intruders, while behind this activity stands only one malware service. Its operators register websites under Ugandan names and buy DNS-hosting in China.

“They register a ‘.UG’ domain name for their customer with the operator ‘i3c.co.ug’ and use a Chinese based DNS provider ‘DNSPod’ (Tencent). From a cybercriminal’s perspective, this has a big advantage: Both i3c.co.ug and DNSPod are exceptionally slow to investigate abuse reports, that’s if they are investigated at all. This makes a cybercriminal’s botnet C&C infrastructure almost 100% bulletproof to takedown requests”, — reported Spamhaus researchers.

As say Spamhaus specialists, they applied much effort and managed to decline share of unwanted web-sited under Uganda domains to 29%. Botnets most often locate on Cloudfare facilities. This hosting provider allows customers to hide location of management services and protects clients from DDoS – attacks.

Top–five also included Russian services Stajazk, Timeweb, Reg.ru and French Ovh.net.

Most abused domain registrars, Q1 2019

Source: https://www.spamhaus.org

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Recent Posts

Remove Chernars pop-up ads (Virus Removal Guide)

Chernars.com is a domain that tries to force you into subscribing to its browser notifications…

24 hours ago

Remove Eclipse-adblocker.pro pop-up ads (Virus Removal Guide)

Eclipse-adblocker.pro is a site that tries to trick you into clik to its browser notifications…

24 hours ago

Remove Initiateadvancedcompletelythe-file.top pop-up ads (Virus Removal Guide)

Initiateadvancedcompletelythe-file.top is a site that tries to force you into subscribing to its browser notifications…

24 hours ago

Remove Pbmsoultions pop-up ads (Virus Removal Guide)

Pbmsoultions.com is a domain that tries to trick you into clik to its browser notifications…

4 days ago

Remove Prizestash pop-up ads (Virus Removal Guide)

Prizestash.com is a site that tries to trick you into subscribing to its browser notifications…

4 days ago

Remove Verifiedbreaking pop-up ads (Virus Removal Guide)

Verifiedbreaking.com is a domain that tries to force you into subscribing to its browser notifications…

4 days ago