Akamai researchers said, “As we analyzed malicious DNS traffic from businesses and individuals, we were able to uncover the spread of Android-based FluBot malware and the emergence of several cybercriminal groups targeting businesses. “Notable is the significant increase in C2 traffic associated with IABs, such as ransomware-as-a-service (RaaS) groups, compromising corporate networks and selling access credentials.”
Akamai operates a global CDN and large-scale DNS infrastructure for cloud and security services, monitoring up to 7 trillion DNS queries per day. Because DNS queries resolve domain names to IP addresses, Akamai can map requests from corporate networks to known malicious domains, such as domains that host phishing pages, distribute malware, or are used for C2, he explained.
According to the report, between 9% and 13% of devices making DNS queries each quarter attempted to contact a domain that was serving malware. Of these, 4-6% were known phishing domains and 0.7-1% were C2 domains. At first glance, the percentage of C2 domains might seem small compared to malicious domains, but consider that we are talking about a very large scale, generating 7 trillion DNS queries per day. Additionally, requests to domains hosted by malware are not always successful as they can be detected and blocked before the malware is executed. However, a C2 domain query indicates a malware infection.
Corporate networks can have thousands or tens of thousands of devices, and since attackers use lateral movement techniques, a single infected device can take over the entire network. If you look at Akamai’s C2 DNS data by company, it turns out that more than 1 in 10 companies experienced a breach in the past year.
“According to DNS data, more than 30% of companies with malicious C2 traffic turned out to be manufacturers. Next come business services (15%), high technology (14%) and trade (12%). The two main sectors (manufacturing and business services) were also the main sectors affected by the Conti ransomware.
Botnets account for 44% of malicious traffic
Akamai has segmented its C2 traffic into several categories, including botnets, IABs, infostealers, ransomware, and RATs. Botnets were the largest category, accounting for 44% of malicious C2 traffic. The popular Emotet and Qakbot botnets are included in the IAB category because they sell access to the system. However, most botnets technically provide additional payloads of malware, and while their owners don’t openly sell these services, some do so privately. For example, the TrickBot botnet has formed an undisclosed partnership with the cybercriminals behind the Ryuk ransomware.
The largest botnet observed by Akamai in the company’s C2 traffic was QSnatch, a malware-based malware that infects the firmware of older QNAP NAS devices. Q Snatch first appeared in 2014 and is still active today. According to CISA recommendations, by mid-2020, 62,000 devices were infected worldwide. QSnatch is used to block security updates, remove credentials, save passwords, remote access and exfiltrate data.
IAB took second place. The biggest threats in this group were Emotet, which made up 22% of all infected devices, and Cockbots, which made up 4%. Emotet is one of the oldest botnets used by several cybercriminal groups to gain early access to corporate networks. Emotet has also been used for years to deploy other botnets, including TrickBot and Cockbot.
In 2021, law enforcement from several countries, including the United States, United Kingdom, Canada, Germany and the Netherlands, successfully took over the command and control infrastructure from the botnet. But it didn’t last long and the botnet reappeared with a new version. Emotet started out as an online banking Trojan, but evolved into a malware platform with multiple modules, providing functions such as stealing emails and launching DDoS attacks. Emotet is known to be associated with ransomware group, especially Conti.
Like Emotet, Cockbot is a botnet used to serve additional payloads. It has a partnership with the Black Basta ransomware group. The malware is also known to use the Cobalt Strike penetration testing tool and has information theft capabilities.
The botnet is known to spread ransomware, but once deployed it has its own C2, which also shows up in Akamai’s DNS data. More than 9% of devices generating C2 traffic were sending traffic to domain names associated with known ransomware threats. The most common ransomware was REvil and LockBit.
Akamai researchers said, “As a result of the analysis of the latest randomware group methodology, there have been numerous instances where ‘keyboard operation’ has been handed over to the attacker to render the fast and effective attack. The ability to identify and block C2 traffic can play a key role in stopping attacks. »
Infostealers (16%) were the third most popular category. This malicious program is used to steal valuable information, such as usernames and passwords for various services, authentication cookies stored in browsers, and other locally stored authentication information in other apps. Ramnit, a modular infostealer capable of distributing additional malware, was the most common threat found on infostealer.
Other notable threats detected in C2 traffic include Cobalt Strike, Agent Tesla RAT, PeakSpa worm, and polymorphic Byroot virus.
editor@itworld.co.kr
