United States Steers the World as Key Host of Malware C2 Infrastructure

October 29, 2018


The United States is home to the maximum proportion of malware command and control (C2) infrastructure – 35% of the international total, as per fresh research circulated by phishing defense and threat intelligence company Cofense.  27% of network Indicators of Compromise (IoCs) from phishing-borne malware are also either situated in or proxied through the United States. Cofense data indicate that Russia is in the second position with 11%, followed by the Netherlands and Germany with 5% each and Canada with 3%.

C2 infrastructure is utilized by hackers to communicate with malware-infected hosts and deliver orders, download new malware modules, and exfiltrate data. Cofense clarified that simply because the C2 infrastructure is hosted in the United States doesn’t necessarily imply that more attacks are being carried out on U.S inhabitants than in other nations. It is usual for attackers to host their C2 infrastructure outside their own country to make it tougher for the agencies to recognize their actions. C2 infrastructure is also usually situated in nations that don’t have a repatriation contract with the host nation.

Threat actors are more concerned with locating somewhere to find their C2 infrastructure to minimize risk instead of locating it in a particular country. Cofense notices that “C2 infrastructure is extremely prejudiced toward compromised hosts, showing a high occurrence of host compromises inside the United States.” That obviously makes perfect sense, since there are more possible hosts to compromise in the United States than in other nations.

“Some companies will obstruct any links coming from nations known for the origination of malevolent activity that they don’t do business with,” clarified Darrel Rendell, the principal intelligence expert at Cofense. That would make hosting C2 infrastructure in the United States beneficial, as links between malware and those servers would be less likely to raise red flags.

In a latest blog post, Cofense provides instances of the distribution of C2 infrastructure using two usual banking Trojans: TrickBot and Geodo. Both banking Trojans are widely used in attacks on Western nations, and attacks have risen in frequency in 2018. The two Trojans are conspicuously different because they belong to different malware families and are used by different threat actors.

In both instances, the infrastructure is growing and the C2 sites are highly different, even though data demonstrate very different distributions of C2 infrastructure for each malware variation. TrickBot’s main site for its C2 infrastructure is Russia, followed by the U.S. Geodo on the other hand mainly uses the U.S, followed by the Germany, France and the United Kingdom, with next to nothing situated in Russia.

Cofense notices that although the differences between the two seem odd at first glance, their dissemination makes sense. Geodo utilizes genuine web servers as a reverse proxy, which then transmit traffic via actual servers to hosts on concealed C2 infrastructure. TrickBot, in contrast, utilizes for-purpose Virtual Private Servers (VPSs) to host its infrastructure. Its C2 might be mainly in the east, but it is mainly used to attack the west and much of its C2 infrastructure is in nations that lack a repatriation contract with the United States. That said, some infrastructure is in the U.S and European nations, which might be an attempt to make its infrastructure tougher to profile.

Cofense clarifies that the widespread and widely distributed C2 infrastructure will not only assist to make sure these two threats remain active for longer but also that using geolocation to distinguish genuine and malevolent traffic might not be particularly effective.