Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/22/2018
04:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

US Tops Global Malware C2 Distribution

The United States hosts 35% of the world's command-and-control infrastructure, driving the frequency of host compromises.

Nearly 30% of network indicators of compromise (IoCs) from phishing-borne malware in 2018 leveraged command-and-control (C2) infrastructure located in, or proxied through, the United States, which is the leader in global malware C2 distribution, Cofense reports.

The US hosts 35% of global C2 infrastructure, followed by Russia (11%), the Netherlands (5%), Germany (5%), and Canada (3%). C2 infrastructure is "enormously biased" toward compromised hosts, which signifies high frequency of host compromises in the US.

Cofense Intelligence researchers who made the discovery say this doesn't mean people in the US are disproportionately hit with malware via phishing. It does support the idea that cyberattackers avoid arrest and/or extradition by hosting C2 infrastructure outside their countries of residence, or in nations with which their home countries have extradition agreements.

Cofense's research focuses on C2 infrastructure, which attackers use to communicate and control malware: new modules to download, commands to execute, or where to send stolen data. The fact that more C2 infrastructure is hosted in the US doesn't necessarily mean more people are targeted there.

"It is not at all uncommon for C2 to be hosted or proxied through intermediary countries before reaching a target's inbox," says Darrel Rendell, principal intelligence analyst at Cofense.

Consider the wealth of Internet infrastructure in the US, he adds. Threat actors gravitate toward broad attack surfaces, and the US has more hosts to compromise. Most attackers don't have a specific country in mind. They want to act where infrastructure is available.

"Threat actors are likely motivated by opportunity," Rendell explains. "There could be strategic opportunities across certain connections from certain countries that may be automatically blocked. For example, some organizations will block any connections coming from countries known for the origination of malicious activity that they do not do business with."

More specifically, he continues, an organization that doesn't do business in a specific country may block or scrutinize connections with those countries. Communications to and from US-based infrastructure may not be blocked or raise any red flags from security tools.

TrickBot and Geodo: Patterns, Predictions
Researchers illustrate the significance of C2 location with Geodo and TrickBot. Both are common modular banking Trojans targeting Western users but come from different malware families and are likely operated by different actors. Researchers analyzed the juxtaposition in C2 locations between TrickBot and Geodo Tier 1 proxy nodes throughout 2018.

Some potential overlap exists between the two, Darrell says, noting that Geodo has been seen delivering TrickBot in the past. Both Trojans proved to be growing threats earlier this year, ramping up the frequency and variety of their delivery mechanisms, utilities, and behaviors.

Geodo uses legitimate Web servers as a reverse proxy, sending traffic through actual servers to hosts on hidden C2 infrastructure. TrickBot almost exclusively uses for-purpose virtual private servers to host malicious infrastructure. Its C2 distribution trends eastward, and its campaigns consistently target Western victims, Cofense researchers explain.

TrickBot's tendency to do so could be due to a lack of extradition agreements among those countries, they point out. However, TrickBot does use some C2 locations in North America and Western Europe, a sign that attackers could be using a variety of C2 locations to make it more difficult to profile TrickBot's infrastructure.

Researchers are keeping an eye on how the two threats move and evolve.

"Geodo and TrickBot activity changes with each iteration," Darrell sats. "Over the last two weeks, for example, Geodo has been quieter than usual. While it isn't uncommon for it to go quiet for a period of time and resurface, this lull seems longer than usual."

He suggests the downtime is a result of operators improving Geodo's capabilities. The threat is still communicating with its C2 but so far has not been seen receiving any commands to update or propagate. TrickBot underwent a similar quiet period, he explains, after which researchers observed "significant changes" to the encryption of its modules and configuration files.

Looking ahead, researchers say the varied C2 locations for Geodo and TrickBot show how their infrastructure is growing. The two families "will almost certainly" be around in coming months.

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
MelBrandle
50%
50%
MelBrandle,
User Rank: Moderator
10/31/2018 | 3:11:59 AM
That is a huge coverage
That is a huge coverage and obviously such a massive hosting would mean dragging along with it the extensive array of compromises as well. This fact does not necessarily mean that the process would only produce problems but it simply means that they would need to step up precautionary measures. Early implementation can be put in place even before no major situation has ever occurred just yet.
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-36197
PUBLISHED: 2021-05-13
An improper access control vulnerability has been reported to affect earlier versions of Music Station. If exploited, this vulnerability allows attackers to compromise the security of the software by gaining privileges, reading sensitive information, executing commands, evading detection, etc. This ...
CVE-2020-36198
PUBLISHED: 2021-05-13
A command injection vulnerability has been reported to affect certain versions of Malware Remover. If exploited, this vulnerability allows remote attackers to execute arbitrary commands. This issue affects: QNAP Systems Inc. Malware Remover versions prior to 4.6.1.0. This issue does not affect: QNAP...
CVE-2021-28799
PUBLISHED: 2021-05-13
An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote attackers to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions prior to v16.0.0415 on QTS 4.5.2; versions prior to v3...
CVE-2021-22155
PUBLISHED: 2021-05-13
An Authentication Bypass vulnerability in the SAML Authentication component of BlackBerry Workspaces Server (deployed with Appliance-X) version(s) 10.1, 9.1 and earlier could allow an attacker to potentially gain access to the application in the context of the targeted user’s acco...
CVE-2021-23134
PUBLISHED: 2021-05-12
Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.2 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability.