The United States is home to the highest percentage of malware command and control (C2) infrastructure – 35% of the global total, according to new research published by phishing defense and threat intelligence firm Cofense. 27% of network Indicators of Compromise (IoCs) from phishing-borne malware are also either located in or proxied through the United States. Cofense data show that Russia is in second place with 11%, followed by the Netherlands and Germany with 5% apiece and Canada with 3%.
C2 infrastructure is used by hackers to communicate with malware-infected hosts and issue commands, download new malware modules, and exfiltrate data. Cofense explained that just because the C2 infrastructure is hosted in the United States does not necessarily mean that more attacks are being conducted on U.S residents than in other countries. It is common for attackers to host their C2 infrastructure outside their own country to make it harder for the authorities to identify their activities. C2 infrastructure is also commonly located in countries that do not have an extradition agreement with the host nation.
Threat actors are more concerned with finding somewhere to locate their C2 infrastructure to minimize risk rather than locating it in a specific country. Cofense notes that “C2 infrastructure is enormously biased toward compromised hosts, indicating a high prevalence of host compromises within the United States.” That of course makes perfect sense, as there are more potential hosts to compromise in the United States than in other countries.
“Some organizations will block any connections coming from countries known for the origination of malicious activity that they do not do business with,” explained Darrel Rendell, principal intelligence analyst at Cofense. That would make hosting C2 infrastructure in the United States advantageous, as connections between malware and those servers would be less likely to raise red flags.
In a recent blog post, Cofense provides examples of the distribution of C2 infrastructure using two common banking Trojans: TrickBot and Geodo. Both banking Trojans are extensively used in attacks on Western countries, and attacks have increased in frequency in 2018. The two Trojans are distinctly different as they belong to different malware families and are used by different threat actors.
In both cases, the infrastructure is growing and the C2 locations are highly varied, although data show very different distributions of C2 infrastructure for each malware variant. TrickBot’s primary location for its C2 infrastructure is Russia, followed by the U.S. Geodo on the other hand primarily uses the U.S, followed by the Germany, France and the United Kingdom, with next to nothing located in Russia.
Cofense notes that while the differences between the two appear odd at first glance, their distribution makes sense. Geodo uses legitimate web servers as a reverse proxy, which then send traffic through real servers to hosts on hidden C2 infrastructure. TrickBot on the other hand uses for-purpose Virtual Private Servers (VPSs) to host its infrastructure. Its C2 may be largely in the east, but it is predominantly used to attack the west and much of its C2 infrastructure is in countries that lack an extradition agreement with the United States. That said, some infrastructure is in the U.S and European countries, which could be an attempt to make its infrastructure more difficult to profile.
Cofense explains that the extensive and widely distributed C2 infrastructure will not only help to ensure these two threats remain active for longer, but also that using geolocation to differentiate legitimate and malicious traffic may not be particularly effective.