By Mollie MacDougall and Darrel Rendell
Cofense Intelligence™ has found that 27% of network Indicators of Compromise (IoC) from phishing-borne malware analysed during 2018 used C2 infrastructure located in, or proxied through, the United States—making the US the leader in global malware C2 distribution.
Map 1 details these observations. This does not indicate that US-based users are getting hit disproportionately, as threat actors are incentivised to host C2 infrastructure outside of their own country or countries with extradition agreements with their host nations to avoid arrest and/or extradition. However, C2 infrastructure is enormously biased toward compromised hosts, indicating a high prevalence of host compromises within the United States.
Map 1: All IPs, both resolved from domain and names and direct-connects, observed during 2018
Chart 1 reflects the top 5 data points observed in Map 1, calculated relative to one another.
Chart 1: Top 5 C2 location points across the globe, year-to-date 2018.
Maps 2 and 3 detail the juxtaposition in C2 locations between TrickBot and Geodo Tier 1 proxy nodes.
Map 2: TrickBot C2 distribution year-to-date 2018
Map 3: Geodo C2 distribution year-to-date 2018
At first glance, the contrast between Geodo and TrickBot may seem odd; Geodo overwhelmingly favors US hosts whereas TrickBot has a propensity toward Russian devices. However, Geodo uses networks of compromised web servers, running Nginx to serve as Tier 1 proxy nodes. More specifically, Geodo uses legitimate web servers as a reverse proxy, tunnelling traffic through these legitimate web servers to hosts on the true hidden C2 infrastructure. TrickBot, on the other hand, almost exclusively uses for-purpose Virtual Private Servers (VPSs) to host its nefarious infrastructure.
TrickBot’s C2 distribution trends significantly more eastward—with a greater number of C2 locations in Eastern Europe and Russia. TrickBot campaigns almost always target Western victims. In June, Cofense Intelligence released a report detailing sustained, pernicious attacks against UK targets. TrickBot’s targeting of Western victims from Eastern-hosted C2 could be due to the lack of extradition agreements amongst those countries (Figure 1). Still, TrickBot does rely on some C2 locations in North America and Western Europe. This could alternatively be a strategic move wherein TrickBot uses regionally diverse C2 locations to make it more difficult to profile its infrastructure, to introduce uncertainty and help keep the hosts viable for the longest possible time. Chart 2 is a companion of Map 2, detailing TrickBot’s favored demographics.
Chart 2: A breakdown of TrickBot’s C2 locations. Note: In the ‘Other’ category, 64% are Eastern (including Eastern European).
The scattering of C2 locations for Geodo and TrickBot demonstrates the vast infrastructure of two of the most pernicious malware currently distributed via phishing. This suggests that these malware families will almost certainly remain on the scene in the months to come. An avid network defender should take note that using geolocation to help differentiate legitimate traffic from potentially malicious traffic may not be as effective as it seems. In light of the case study above, it would be prudent to actively monitor the threat landscape from a reliable source and stay vigilant.
To learn more about 2018 Geodo and TrickBot activity, view the Cofense™ analysis.
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.