Summary of malware activity: April - June 2023

Endpoint malware

Endpoint malware reporting decreased in 1Q2023 but is once again on the rise. We observed a 10% increase in 2Q2023.

Infostealers were the most frequently reported endpoint malware. Quakbot represented over 90% of infostealer malware that we could identify by name.

Backdoors (RATs) were next most frequently reported endpoint malware. Gafgyt represented over 70% of backdoor/RAT malware that we could identify by name.

The number of unique domains reported for hosting malware remained the same.

COM, CN, and NET had the most unique domains reported for hosting endpoint malware.

Traffic injectors represented 80% of malicious traffic sources reported.

IoT Malware

Malicious Traffic Sources

Reports of attackware and traffic injectors for the current period decreased 26% from the prior quarter.

PHP Forum spammers continued to constitute
the majority of traffic injectors reported.

70% of the IoT malware reported during this period were associated with IPv4 addresses from three Asia-Pacific ASNs:

  1. Bharat Sanchar Nigam Ltd. (AS9829).

  2. CHINA UNICOM China169 Backbone (AS4837), and

  3. China Telecom Backbone (AS4134)

Reports identifying vulnerability scanners decreased sharply.

SSH again dominated the attackware reported but
decreased to 48%from the 55% reported in 1Q2023.