During every quarter last year, between 10% and 16% of organizations had DNS traffic originating on their networks towards command-and-control (C2) servers associated with known botnets and various other malware threats, according to a report from cloud and content delivery network provider Akamai.
More than a quarter of that traffic went to servers belonging to initial access brokers, attackers who sell access into corporate networks to other cybercriminals, the report stated. “As we analyzed malicious DNS traffic of both enterprise and home users, we were able to spot several outbreaks and campaigns in the process, such as the spread of FluBot, an Android-based malware moving from country to country around the world, as well as the prevalence of various cybercriminal groups aimed at enterprises,” Akamai said. “Perhaps the best example is the significant presence of C2 traffic related to initial access brokers (IABs) that breach corporate networks and monetize access by peddling it to others, such as ransomware as a service (RaaS) groups.”
Akamai operates a large DNS infrastructure for its global CDN and other cloud and security services and is able to observe up to seven trillion DNS requests per day. Since DNS queries attempt to resolve the IP address of a domain name, Akamai can map requests that originate from corporate networks or home users to known malicious domains, including those that host phishing pages, serve malware, or are used for C2.
Malware could affect a very large pool of devices
According to the data, between 9% and 13% of all devices seen by Akamai making DNS requests every quarter, tried to reach a malware-serving domain. Between 4% and 6% tried to resolve known phishing domains and between 0.7% and 1% tried to resolve C2 domains.
The percentage for C2 domains might seem small at first glance compared to malware domains but consider we’re talking about a very large pool of devices here, capable of generating 7 trillion DNS requests per day. A request to a malware-hosting domain doesn’t necessarily translate to a successful compromise because the malware might be detected and blocked before it executes on the device. However, a query for a C2 domain suggests an active malware infection.
Organizations can have thousands or tens of thousands of devices on their networks and one single compromised device can lead to complete network takeovers, as in most ransomware cases, due to attackers employing lateral movement techniques to jump between internal systems. When Akamai’s C2 DNS data is viewed per organization, more than one in 10 organizations had an active compromise last year.
“Based on our DNS data, we saw that more than 30% of analyzed organizations with malicious C2 traffic are in the manufacturing sector,” the Akamai researchers said. “In addition, companies in the business services (15%), high technology (14%), and commerce (12%) verticals have been impacted. The top two verticals in our DNS data (manufacturing and business services) also resonate with the top industries hit by Conti ransomware.”
Botnets account for 44% of malicious traffic
Akamai broke the C2 traffic down further into several categories: botnets, initial access brokers (IABs), infostealers, ransomware, remote access trojans (RATs), and others. Botnets were the top category accounting for 44% of the malicious C2 traffic, not even taking into account some prominent botnets like Emotet or Qakbot whose operators are in the business of selling access to systems and were therefore counted in the IAB category. However, most botnets can technically be used to deliver additional malware payloads and even if their owners don’t publicly sell this service, some have private deals. For example, the TrickBot botnet had a private working relationship with the cybercriminals behind the Ryuk ransomware.
The largest botnet observed by Akamai in C2 traffic originating from enterprise environments is QSnatch which relies on a piece of malware that specifically infects the firmware of outdated QNAP network-attached storage (NAS) devices. QSnatch first appeared in 2014 and remains active to date. According to a CISA advisory, as of mid-2020, there were over 62,000 infected devices worldwide. QSnatch blocks security updates and is used for credential scraping, password logging, remote access, and data exfiltration.
IABs were the second largest category in C2 DNS traffic —the biggest threats in this group being Emotet, with 22% of all infected devices, and Qakbot with 4%. Emotet is one of the largest and longest-running botnets used for initial access into corporate networks by multiple cybercriminal groups. Moreover, over the years, Emotet has been used to deploy other botnets including TrickBot and Qakbot.
Malware with links to noted ransomware gangs
In 2021 law enforcement agencies from multiple countries including the US, the UK, Canada, Germany, and the Netherlands managed to take over the botnet’s command-and-control infrastructure. However, the takedown was short-lived, and the botnet is now back with a new iteration. Emotet started as an online banking trojan but has morphed into a malware delivery platform with multiple modules that also give its operators the ability to steal emails, launch DDoS attacks, and more. Emotet also had known relationships with ransomware gangs, most notably Conti.
Like Emotet, Qakbot is another botnet that is being used to deliver additional payloads and has working relationships with ransomware gangs, for example, Black Basta. The malware is also known to leverage the Cobalt Strike penetration testing tool for additional functionality and persistence and has information-stealing capabilities.
Although botnets are known to deliver ransomware, once deployed such programs have their own C2s that are also represented in Akamai’s DNS data. Over 9% of devices that generated C2 traffic did so to domain names associated with known ransomware threats. Of these, REvil and LockBit were the most common ones.
“Our recent analysis of the methodology of modern ransomware groups, such as the Conti group, showed that sophisticated attackers often assign operators to work ‘hands on keyboard’ in order to quickly and efficiently progress an attack,” Akamai researchers said. “The ability to view and block C2 traffic can be pivotal to stopping an ongoing attack.”
Infostealers were the third most popular category by C2 traffic, accounting for 16% of devices observed by Akamai. As their name suggests, these malware programs are used to steal information that can be valuable for attackers and further other attacks, such as usernames and passwords for various services, authentication cookies stored in browsers, and other credentials stored locally in other applications. Ramnit, a modular infostealer that can also be used to deploy additional malware, was the top threat seen in this category. Other notable threats seen in C2 traffic included Cobalt Strike, the Agent Tesla RAT, the Pykspa worm, and the Virut polymorphic virus.