Quad9 Cybersecurity Trends and Insights | January 2023
A Monthly Insight into Quad9’s Top Blocks
In December 2022, Quad9 started publishing a monthly, in-depth report that explores the trending DNS lookups of malicious host names that we blocked during the prior month. Each month, Quad9 users will be able to download the entire report, which will provide a breakdown of several cybersecurity metrics, including but not limited to the prior month’s highest trending malware by volume of attempted domain access and type.
This type of information is valuable in that it further sheds light on the most prominent malware, phishing, spyware, and botnet threats of which individuals and network administrators should be aware. For Quad9 users, the information found in the monthly reports are more than supplemental intel surrounding trending cybersecurity and privacy threats. They also serve as additional peace of mind that Quad9’s public and free DNS service is helping to provide its users with a safer, more private online experience.
Quad9 Identified Cybersecurity Threat Trends – December 2022 Data
Last month, Quad9 observed a diverse array of threat categories. Among the many categories of threats blocked and analyzed were DDoS, stalkerware, banking trojans, backdoor threats, remote access trojans (RATs), browser hijacking threats, and loader threats. The graphic below represents Quad9’s identified malware trends by threat category during December 2022 — all of which were blocked by Quad9.
The graph above represents malware trends observed and blocked by Quad9 during December 2022. Due to the volume of DNS requests, Quad9 does not collect all the DNS requests, thus analyzed samples were recorded two times daily for the duration of 60 seconds. Source: Quad9.net
As expected, based on historical trends, DDoS attack vectors continued to grow during December 2022, securing their spot as the largest threat by volume. Among the top ten domains blocked by Quad9, the following malware families were attributed to DDoS attack vectors: Fodcha, Chaos, and Kaiji.
Similar to November 2022, fridgexperts[.]cc was identified as the domain with the highest number of prevented access attempts. This domain is attributed to Fodcha Command and Control (C2) server. Fodcha Command remains a relatively new, yet powerful DDoS botnet, discovered by 360 Netlab researchers in April 2022. This DDoS botnet has caused quite a stir within the cybersecurity community, as researchers report the latest version having grown to an unprecedented scale.
During December 2022, blocked access attempts for Chaos malware increased nearly four times when compared to the volume identified during November 2022 — jumping 283%. The domain associated with Chaos, which is a predecessor to Kaiji malware, was ars1.wemix[.]cc. Chaos is a multifunctional malware that targets Windows and Linux systems as well as Internet of Things (IoT) devices.
Stalkerware threats are becoming a growing concern. Stalkerware applications are a form of spyware that record a user’s conversations, locations, and device input (keylogging). This type of spyware is often done under the guise of a legitimate application. The domain with the highest volume of blocked access attempts was ixhtb.s9gxw8[.]com, from which Quad9 identified nearly 37,000 access attempts during the month.
During December 2022, Quad9 also blocked a new domain, turnscor[.]com which had a high volume of access attempts attributed by Mandiant to North Korean backdoor threat, BLINDINGCAN. Backdoor threats can provide threat actors with the ability to execute backdoor commands like file transfers, file management, and command execution on the targeted device.
Although DDoS threats represented the most frequent access attempts during the month, they were far from the _only _cause for concern. Upon analysis of five domains with a high access attempt rate during the month, Quad9 attributed malware threat types to banking trojan, remote access trojan, loader, and browser hijacking threats:
Source: quad9.net – December 2022
The Takeaway
Quad9’s mission is to improve the security and stability of the internet, creating an ecosystem where users are less vulnerable to risks and more effective in their daily online interactions. By preventing connections to known malicious sites, Quad9 reduces exposure risks before they are downloaded to a device or before potential victims gain access to fraudulent websites.
Access the full December 2022 report.
References:
1. https://www.bleepingcomputer.com/news/security/fodcha-ddos-botnet-reaches-1tbps-in-power-injects-ransoms-in-packets/
2. https://www.mandiant.com/resources/blog/dprk-whatsapp-phishing
3. https://blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html<\sub>