Malware Trends, July - September 2022

Contributed by Dave Piscitello, Interisle Consulting Group

Mozi malware remains the most frequently identified IoT malware. However, we saw a dramatic drop in reports of Mozi malware from 120,442 reports in the April - June period to 33,584 in the current period.

Reports decreased for Mirai as well.

Hajime malware reports increased over 500%, peaking in July.

Infostealers were again the most reported Endpoint Malware. We observed a 36% increase overall.

92% of the reported infostealer malware were Quakbot variants.

~20% of the Qakbot malware was reported in four IP prefixes: 162.240.0.0/15, 162.241.0.0/16, 192.185.0.0/18 and 192.185.128.0/18. These are all delegated from Unified Layer (AS 46606) .

The malware trends reported here complement the malware activity reported for Top-level Domains, domain registrars, and hosting networks during the January 1, 2022 - March 31, 2022 period.

If you have a novel use for Cybercrime Information Center Data and are interested in writing a blog to share with our community, contact us at

criminaldomainabuse@interisle.net

Our quarterly Malware Activity pages report where we observe malware by Top-level Domains, Domain Registrars, and Hosting Networks. Here, we share some closer looks at the malware landscape.

Vulnerability scanners were the most frequently reported attack ware, appearing in 52% of malware reports for which we have an identified Malware Name (52%). This is an enormous increase over the 29% reported for the April - June 2022 quarter.

The reported traffic injector malware decreased by 28% in the July - September 2022 period. Reductions in reports identifying brute-force, DDoS and SSH attack ware most contributed to the decrease. Reports of malicious IPs that targeted Apache and VPN endpoints increased.

More than 20,000 IPv4 addresses were reported for IoT Malware in each of these hosting networks:

  • AS 4134 CHINANET-BACKBONE No.31

  • AS 4837 CHINA169-BACKBONE CHINA UNICOM China169 Backbone

  • AS 54994 QUANTILNETWORKS

  • AS 3786 LGDACOM LG DACOM Corporation

Most malware reports that we process identified the IP address of the host. For this period, we processed ~74K endpoint malware records URLs that contained domain names, and from these we identified ~24K unique domain names, a 25% decrease from the prior reporting period. Of the endpoint malware hosted at URLs containing domain names, zmnrz[dot]com accounted for 22% , and zol[dot]com[dot]cn accounted for 15%.

We observed six hosting networks with over 15,000 reported malicious IPs for the July - September period:

  • AS 4134 CHINANET-BACKBONE No.31

  • AS 3786 LGDACOM LG DACOM Corporation

  • AS 23688 LINK3-TECH-AS-BD-AP Link3 Technologies Ltd.

  • AS 4837 CHINA169-BACKBONE CHINA UNICOM China169 Backbone

  • AS 14061 Digital Ocean

  • AS 4766 KIXS-AS-KR Korea Telecom