Spamhaus released their quarterly Botnet Threat Update for the third quarter of 2019 and almost half of the TLDs in their top 20 “most abused top-level domains” were within ccTLD name spaces: .ru (Russia), .pw (Palau), .eu (European Union), .ga (Gabon), .tk (Tokelau), .su (the former Soviet Union), .ml (Mali), .cf (Central African Republic) and .me (Montenegro). There were also a handful of new gTLDs: .top, .xyz, .icu, .name, .live, .site and .club. But the TLD with by far the most abused domains, and also by far the largest, was .com, with 4,058 abusive domain names and around 145 million domains in total while .net was second with 534 fraudulent domains.
During the third quarter the number of fraudulent domain names registered within Russia’s ccTLD .ru almost halved from 731 domains in Q2 to 392 domains in Q3. And 2 more gTLDs joined .com in Q3 in the top 3: .net and .info.
Of the registrars with the most abused domain names on their books, Namecheap easily came out top with 1,034 while the Chinese West263.com was second with 375. By country, there were 5 Chinese registrars on the top 20 list, 3 from the United States and 2 each from Russia and Germany.
The highlight, or rather lowlight, of the report from Spamhaus’ point of view was the number of newly detected botnet command & control servers (C&Cs) reached an all-time high in July this year with more than 1,500 botnet C&Cs detected by Spamhaus Malware Labs. This is far in excess of the monthly average, set in the first half of this year, of 1,000 botnet C&Cs.
One of the most notorious botnets called “Emotet”, however, did appear to go on vacation. This botnet went silent for several months, but returned in September with a large scale spam campaign. Emotet, also known as “Heodo”, was a former e-banking Trojan that targeted e-banking customers around the world. In 2018, Emotet ceased it’s e-banking fraud activities and started to offer infected computers on a “Pay-Per-Install” model to other cybercriminals. As of 2019, Emotet is one of the most dangerous botnets and indirectly responsible for a large amount of ransomware campaigns like Ryuk.
The most notable change between Q2 and Q3 Spamhaus observed was TrickBot. They identified a 550% increase in the number of botnet C&Cs that were associated with this malware family. There were additional smaller changes in the malware landscape, with some families dropping out of the charts and others appearing.
Spamhaus observed they continued to see Cloudflare, a US-based content delivery network (CDN) provider, being one of the preferred options by cybercriminals to host botnet C&C servers. This trend has been evident since 2018. Disappointingly, Spamhaus say they’ve still seen no apparent attempts from Cloudflare to battle the ongoing abuse of their network for botnet hosting and other hostile infrastructure. However, as of Q3, Cloudflare got beaten by the Chinese cloud provider Alibaba, by a narrow margin of 4.
There was also a surge in the number of Botnet C&Cs hosted in Russia with a proliferation of botnet C&Cs hosted across various hosting providers in Russia, notably ispserver.com, reg.ru, simplecloud.ru, marosnet.ru and spacenet.ru. After a short period of respite, there is once again a trend among cybercriminals moving their infrastructure to Russian Internet service providers.
The Spamhaus Botnet Threat Update: Q3-2019 can be downloaded in full from: https://www.spamhaus.org/news/article/789/spamhaus-botnet-threat-update-q3-2019