Summary of malware activity: January - March 2023
Endpoint malware
A majority of endpoint malware reports was concentrated in a small number of Autonomous Systems (hosting networks).
Over 1,100 ASNs had IP addresses reported for hosting endpoint malware. Of the nearly 53,000 endpoint malware reports, 33% were reported to CHINA UNICOM China169 Backbone (AS4837) and 20% were reported to QUANTILE NETWORKS INC (AS 54994).
Unique domains reported for hosting malware decreased 38%
COM, CN, and ORG had the most unique domains reported for hosting endpoint malware.
Alibaba Cloud Computing Co., Ltd. and eName Technology Co., Ltd. were the top gTLD registrars identified as having malware domains under management,
The vast majority of malware that we process associate malware with IPv4 addresses. Of the unique domains that were reported for hosting malware, we determined that 30% were maliciously registered.
For the period, the Gozi and Quackbot infostealers and the Gafgyt
backdoor were the most frequently reported endpoint malware.
Mozi malware accounted for 88% of IoT Malware reported.
IoT Malware
Malicious Traffic Sources
Reports of attackware and traffic injectors for the current period decreased 30% from the prior period.
Traffic injectors represented 60% of malicious traffic sources reported:
nearly one-half of these reports identified PHP Forum spammers, and
12% identified HTTP spammers.
Of the attackware reported,
55% of the reports identified vulnerability scanners, and
30% identified SSH scanners.
For detailed reporting please visit the links below:
| Quarterly Update: Key Statistics |
Quarterly Update: Top Level Domains |
Quarterly Update: Registrars |
Quarterly Update: Hosting Networks |
82% of the IoT malware reported during this period were associated with IPv4 addresses from four Asia-Pacific ASNs:
CHINA UNICOM China169 Backbone (AS4837),
Bharat Sanchar Nigam Ltd. (AS9829), and
Asia Pacific Network Information Centre (AS4134)
China Unicom IP network China169 Guangdong province (AS 17816)