The ccTLD for the Lao People’s Democratic Republic, which has gained a second home in Los Angeles, became the TLD with the second most botnet Command and Control (C&C) domains on the Spamhaus chart of most abused TLDs in its first appearance on the top 20 chart.
As usual, .com was the most abused top-level domain with 3,291 abusive domain names registered out of its 145.4 million and 45% of the top-level botnet C&C domains. There were 1,151 abusive domains for .la followed by .pw (Palau – 575) and then .xyz (278), these being the only TLDs with more than 200 abusive registrations.
For .pw and .xyz, these two TLDs have appeared in the Top 20 for over a year, although there was a significant increase in the number of botnet C&C domain registrations associated with these TLDs in Q1 2020, placing them at third and fourth respectively.
In the first quarter of 2020, Spamhaus Malware Labs also identified a total number of 2,738 new botnet Command and Controllers (C&Cs). Out of these, 2,014 (average 671 per month) were under the direct control of miscreants i.e. as a result of a fraudulent sign-up. That’s a decrease of 57% compared to Q4 2019. This, Spamhaus notes, is welcome news for internet users, following the significant increases throughout 2019.
The reason for this decrease, Spamhaus notes, is currently unproven. They believe “it could be partially related to a VPN provider who refuses to take action on abuse reports and is failing to shut down traffic from existing botnet C&Cs. If botnet C&Cs, which have been detected and reported, are allowed to continue to operate, there is no reason why miscreants should spin up new ones.”
When it comes registrars Namecheap continues to be the favourite place for malware authors to register their botnet C&C domains. For Internet Service Providers (ISPs) hosting botnet C&Cs Cloudflare came out top and while it does not directly host any content, it provides services to botnet operators, masking the actual location of the botnet controller and protecting it from DDoS attacks. Compared to Q4 2019, there was little change in the hosting provider landscape. The usual suspects were still present in Top Twenty, including Cloudflare (US), Google (US), OVH (FR) and Hetzner (DE). It would appear that these big players in the Cloud hosting market did little to improve the situation.
The report has a spotlight on the Raccoon Stealer malware. At the end of 2019 Raccoon Stealer was a newcomer on the cyber threat landscape. This Spamhaus notes is piece of malware usually delivered to the end-user through spam campaigns, dropper, or exploit kits by malware that is already present on the victim’s machine. Raccoon Stealer is a credential and information stealer that runs on MS Windows. However, it is also being used by threat actors to install additional malware. What makes Raccoon Stealer rather unique is where its botnet C&Cs are hosted: on the Google Cloud.