Summary of Malware Activity
January 1, 2021 - June 30, 2021
Interisle Consulting Group used phishing data collected at the Cybercrime Information Center to measure what malware was most prevalent, where malware was served from or distributed, and what resources criminals used to pursue their attacks. A summary of their report, Malware Landscape 2021: A Study of the Scope and Distribution of Malware, is published below.
Key Statistics
Table 1 provides a summary of key statistics from the annual study period.
| Measurement | Endpoint Malware | IoT Malware | Uncategorized | Total |
|---|---|---|---|---|
| Total number of malware reports from threat feeds | 307,007 (18%) | 392,107 (23%) | 986,919 (59%) | 1,686,033 |
| Unique domain names reported that were identified in malware reports | 16,983 | 14 | 20,869 | 35,294 |
| Unique domain names reported that were identified in malware reports | 16,983 | 14 | 20,869 | 35,294 |
| Top-level domains where we observed malware domains | 336 | 10 | 299 | 296 |
| Registrars that had domains under management reported for malware | 328 | 6 | 409 | 512 |
| Number of Internet Addresses (IPv4) where malware was hosted | 198,963 | 250,493 | 47,634 | 272,017 |
| Hosting Networks (ASNs) where malware web sites were reported | 2,906 | 3,826 | 1,941 | 5,576 |
Table 1. Key malware statistics, January 2021 - June 2021
Domain names are essential resources for spam and phishing attacks, but the malware report data collected by the Cybercrime Information Center reveals that they are less commonly used for serving malware or for malware distribution.
The majority of malware reports identify or include IPv4 addresses rather than domain names. No IPv6 addresses appeared in the malware report data collected by the Cybercrime Information Center.
For reporting purposes, the Cybercrime Information Center uses a taxonomic ranking developed by Interisle Consulting Group (see Malware Terminology). This ranking separates targeted devices into two sub-families:
IoT malware. Targets Internet of Things (IoT) devices – routers, sensors, DVR or IP cameras, wearables, and embedded technologies.
Endpoint malware. Compromises mostly human-attended devices– a laptop, phone, tablet, or server – through a user action such as the opening of an email attachment or the visiting of a malicious URL through a browser.
While malware generally increased during the January - June 2021 period, IoT Malware showed a greater increase month over month than Endpoint Malware.
Figure 1. Number of malware records collected by Cybercrime Information Center, January - June 2021
IoT Malware accounted for 56% of the total set of malware records collected.
86% of malware that Interisle Consulting Group were able to classify was IoT Malware.
Figure 2. Distribution of malware records: endpoint malware versus IoT malware
Nearly all the records associated with IoT Malware were identified as Mozi malware (370,956 of 376,194, or 99%). Gafgyt (Bashlite) accounted for approximately 1% (4,480) and bots that exploit Secure Shell (SSH) to gain remote administrative control, 1% (381).
Mozi IoT malware was distributed across many hosting networks. Figure 14 shows the five ASNs with the most IP addresses reported for serving Mozi malware, representing 84% of all Mozi records. Three of these hosting networks are based in China, one in India, and one in Albania. Mozi malware accounted for 80-95% of IoT malware reported in these five ASNs.
Figure 3. Where do we Find IoT Malware in the Hosting World?
Figure 4 shows the endpoint malware most frequently reported during January - June 2021. See the Malware Terminology page for a description of the taxonomic ranking of malware used for analyses here and for the report, Malware Landscape 2021: A Study of the Scope and Distribution of Malware, by Interisle Consulting Group.
Figure 4. Most frequently reported endpoint malware, January - June 2021
Tables that identify the
Top-level Domains where malware domains were observed,
Registrars that had domains under management reported for malware, and
Hosting Networks (ASNs) where malware web sites were reported
can be downloaded from the Cybercrime Information Center’s Records repository.