Malware Trends: January - March 2024

2024 began with an unprecedented rise in domain names reported for hosting malware.

The 1Q2024 Top 20 TLDs included 10 new gTLDs, 6 ccTLDs, and 4 legacy gTLDs. Only three TLDs remained in the top 5 TLDs (COM, NET, INFO). The ORG and BR TLDs were replaced by SHOP (over 3,000% increase) and TOP (over 700% increase).

All but one registrar (DynaDot at 88%) in 1Q2024’s Top 20 registrar ranking showed increases of 100% or more. Several registrars had 4- and 5-figure percentage increases in domains reported. These exceptionally high percentages are a result of these registrars having very few (no more than a couple hundred) malware domains reported in the Oct-Dec 2023 quarter but (tens of) thousands of malware domains in this quarter.

We have repeatedly observed similar (but not so dramatic) swings in domains reported for phishing, but this is the first such for malware. This suggests that some (combination of) policy, practices, processes or pricing that contributes repeatedly to a pandemic phishing landscape may now be attracting malware actors.

We collected over 11,000 reports of malicious scripts during this period. Many scripts or derivatives of scripts are identified but reported with insufficient metadata to classify by name.

Malware used to exploit WordPress blog sites accounted for nearly all the malicious documents reported this period. These malware may add malicious redirects or spam links to illegal pharma sites, or link to a drive-by malware executable.

Attackware and Traffic Injectors

IPv4 addresses reported for exhibiting characteristics of attackware and traffic injectors also showed a fourfold increase in numbers but the increase from approximately 250,000 to over 1 million is a more disturbing trend. Attackware increases are indicators that attackers are scanning for opportunities to disrupt or break into targeted systems or services, The increased use of injectors to post unwanted advertisements or malicious URLs or to pollute PHP, HTTP, or Web forums with posts containing inappropriate malicious content is equally worrisome.

IS THIS THE BEGINNING OF AN INDUSTRY-WIDE CRISIS?

    Alibaba.com Singapore E-Commerce
                                +38,400%     
    
    Gname.com Pte.
                                  +8,339%   
  
    OwnRegistrar   
                                  +2,377% 
  
    Hosting Concepts
                                   +1,962% 
  
    Hostinger
                                  +1,188% 

    Name.com, Inc.  
                                    +1,141%

Malware Hosting

Unique IPv4 addresses reported as serving or distributing malware decreased slightly. We still identified over 1M addresses hosting malware, so that’s hardly good news. Four hosting networks ranked in the top 5 remained the same, (No.31,Jin-rong Street, Bharat Sanchar Nigam Ltd, CHINA UNICOM China169 Backbone, DigitalOcean, LLC). Cloudflare leaped from 16 to #4 with a near 900% increase in IPv4 addresses reported. MovilNET, the previous quarter’s occupant at the four spot dropped to number 17.

Endpoint Malware

IoT Malware

We observed a fourfold increase in reported IoT Malware.

It’s too early to speculate whether the Mozi maware increase is an anomalous event or an indication of a resurrected network or the onset of new IOT campaigns.