The Spamhaus Project
BETA

report

Botnet Threat Update Q1 2021

After a quiet(ish) end to 2020 in Spamhaus' botnet world, the first quarter of this year kicked off in style. The major news surrounded the takedown of the Emotet botnet in January. Nonetheless, as one malware departs, others arrive on the scene, as proved by the 24% increase in the total number of botnet C&Cs Spamhaus researchers observed.

by The Spamhaus TeamApril 15, 20216 minutes reading time
Botnet C C
Threat Intelligence
Malware
Service Providers

Jump to

Introduction

After a quiet(ish) end to 2020 in Spamhaus’ botnet world, the first quarter of this year kicked off in style. The major news surrounded the takedown of the Emotet botnet in January.

Nonetheless, as one malware departs, others arrive on the scene, as proved by the 24% increase in the total number of botnet C&Cs Spamhaus researchers observed. Welcome to the Spamhaus Botnet Threat Update Q1 2021.

Emotet is gone, but other threats are emerging

In January 2021, an international coalition including authorities from various countries undertook a global action against the notorious Emotet botnet. Law enforcement agencies shut down infrastructure operated by the Emotet gang, sending Emotet botnet traffic to a sinkhole.

The operation appears to have been a success, as the botnet has remained inactive for over two months. However, Spamhaus Malware Lab experts deem that it’s highly likely that Emotet will come back into circulation.

Over the past few years, Emotet has flourished, earning itself the label of being one of the most dangerous online threats. Miscreants used it to gain an initial foothold in corporate networks, allowing them to move laterally within the victims’ network, which in many cases led to encryption with ransomware.

Sadly, there’s no rest in the botnet world; no sooner is one botnet extinguished than it’s replaced. Rapidly, other botnet operators have rushed to fill the void that Emotet has left.

Miscreants operating botnets like IcedID, Dridex, Quakbot, and TrickBot sent out large volumes of spam emails containing malicious documents this quarter. For most of these threats, the modus operandi is similar to that of Emotet’s, i.e., gain a foothold in corporate networks and encrypt them with ransomware.

Number of botnet C&Cs observed, Q1 2021

First of all, let’s look at the number of newly observed botnet Command & Control servers (C&Cs) in Q1 2021. In total, Spamhaus Malware Labs has identified 1,660 new botnet C&Cs compared to 1,337 in Q4, 2020.

This is a 24% increase, with an average of 553 botnet C&Cs per month.

Number of new botnet C&Cs detected by Spamhaus since late 2020:

Geolocation of botnet C&Cs, Q1 2021

In some countries, we have seen an increase of newly observed botnet C&Cs while other countries have dropped out of our Top 20.

The United States holds onto #1 Despite a small 3% drop in the number of newly observed botnet C&Cs, the United States remains top of the leader board.

Increases across Europe The Netherlands has overtaken Russia and finds itself in second position, with a total of 207 botnets, a 27% increase on Q4, 2020. Additional European countries have experienced increases in new botnet infrastructures, including Germany (+77%), France (+82%), Switzerland (+23%), and United Kingdom (+9%).

Top 20 locations of botnet C&Cs

Malware associated with botnet C&Cs, Q1 2021

Emotet: In Q1 2021, Emotet jumped to the top of this Top 20. This comes as no surprise, given our efforts in helping Law Enforcement agencies take down Emotet botnet infrastructure in January 2021.

Raccoon: Raccoon is a credential stealer that is new in town. In Q1 2021, we identified 45 botnet C&Cs associated with this new malware.

FickerStealer: Another credential stealer that has been observed for the first time in Q1 2021 is FickerStealer, with 25 new associated botnet C&Cs.

**QNodeService:**We first saw this malware in 2020. However, it appears that QNodeService’s activity completely dropped away at the start of this year. To date, we have not observed a single C&C associated with it.

Malware families associated with botnet C&Cs

Most abused top-level domains, Q1 2021

For Q1 2021, the gTLD .com remains at the top of our rankings. A large majority of botnet C&C domains that Spamhaus Malware Labs identified were hosted on this TLD. However, we have seen many other listed TLDs improve their reputation with reductions across the board.

.de: The ccTLD of Germany has once again entered the Top 20 at #19. Not good! Is this due to a weak anti-abuse policy at DENIC?

.top & .xyz: These two gTLDs have a long history of abuse, and it’s not surprising that they continue to be in the Top 5, particularly when .top had a 90% increase in the number of botnet C&Cs it hosted in Q1 2021.

Most abused TLDs - number of domains

Most abused domain registrars, Q1 2021

Namecheap (again!) After years of being #1 in this Top 20, Namecheap (US) continues to be the preferred domain registrar for miscreants registering botnet C&C domains.

When will this change? We don’t know. But given the long history of abuse at Namecheap, we don’t expect it to be any time soon!

Eranet International & RegRU With a massive 249% increase, Eranet International (China) knocked NameSilo (United States) off its #2 spot. However, the most significant increase in the number of botnet C&C domain registrations belongs to RegRU (Russia), with a whopping 341% increase.

Most abused domain registrars - number of domains

Networks hosting the most newly observed botnet C&Cs, Q1 2021

For this quarter, we have seen an East/West split, with a reduction in the number of botnet C&Cs hosted at providers from the East, only to be swiftly replaced by cloud service providers in the West.

Russian Virtual Private Server (VPS) providers Various companies like invs.ru and selectel.ru dropped out of the Top 20 this quarter. This is very positive news, particularly when it comes to selectel.ru, who have been present in the Top 20 list for a long time.

Western VPS providers Various providers located in the West have entered the Top 20 chart in Q1 2021 including, google.com, choopa.com, hetzner.de, and combahton.net.

The worst and the most improved The most abused network is privacyfirst.sh, a VPN provider operating out of Germany. Conversely, amazon.com has reduced the number of newly observed botnet C&Cs on its network by 44% over the past quarter. A positive step forward!

Newly observed botnet C&Cs per network

Networks hosting the most active botnet C&Cs, Q1 2021

Last but not least, let’s have a look at the networks that consistently hosted a large number of active botnet C&Cs. Sadly, Microsoft heads up this Top 20, with 48 active botnet C&Cs, followed by Google with 43 active botnet C&Cs. Networks appearing in this listing tend to have poor network hygiene and fail to act on abuse complaints – the absence of change between the past quarters indicates this fact. The botnets remain active for months!

Total number of active botnet C&Cs per network

Given the events regarding Emotet in Q1 2021, it will be very interesting to see what the next quarter will bring.

See you next quarter. In the meantime, stay safe.

Download the Spamhaus Botnet Report 2021 Q1 as PDF