Home / Industry

Gathering Context Around Emotet, Trickbot, and Dridex C&C Servers with Bulk IP Geolocation

Protect your privacy:  Get NordVPN  [73% off 2-year plans, 3 extra months]

Dridex, Trickbot, and Emotet are banking Trojans that have enabled cybercrime groups to steal hundreds of millions of dollars from their victims. These malware have evolved over the years, and just recently, Emotet was seen using stolen attachments to make their spam emails more credible. As with other malware types, once Trickbot, Dridex, and Emotet infect a victim’s device, they communicate with their command-and-control (C&C) servers. From there, the attackers can control the infected machines turning them into a resource for malicious activities.

One may wonder where in the world these C&C servers are located (or at least appear to be). We decided to look into this further using our IP geolocation intelligence and conducted a short study to determine malware and botnet C&C servers’ usual locations and other details with our bulk IP address location API.

The Data: IP Blocklist

We obtained a list of IP addresses from Feodo Tracker, which contained IP addresses tagged as indicators of compromise (IoCs) for Trickbot, Dridex, and Emotet. The recommended blocklist, which has fewer false positives than the aggressive list, was last updated on 16 September 2020. It contained 836 IP addresses associated with C&C servers.

The Findings: C&C Server Locations Revealed by Bulk IP Geolocation

Bulk IP geolocation allows users to obtain the geolocation of as many as 100,000 IP addresses with one API call. Below are our findings using the capability to analyze C&C server locations.

The U.S. Takes the Lead

The 836 IP addresses on the IP blocklist are distributed across 88 countries, with the U.S. leading the pack. Our bulk IP geolocation query returned 182 IP addresses located in the U.S. Moreover, about 54% of these IP addresses belong to these Internet service providers (ISPs):

  • Charter Communications (35 IP addresses)
  • Digital Ocean (21 IP addresses)
  • ITL-Bulgaria Ltd. (13 IP addresses)
  • Comcast Cable Communications (12 IP addresses)
  • Linode (9 IP addresses)
  • Frontier Communications Corporation (9 IP addresses)

A majority of the U.S. IP addresses are located in California (46), New York (18), and New Jersey (16).

Top ISPs

The IP addresses on the Feodo Tracker are spread over 400 Internet service providers (ISPs). We ranked them according to ISP with the highest number of C&C servers, and the top 12 are:

  1. Charter Communications
  2. Digital Ocean
  3. OVH
  4. Telmex
  5. Turk Telekom
  6. ITL-Bulgaria Ltd.
  7. Linode
  8. Comcast Cable Communications
  9. NTT Communications Corporation
  10. Telstra
  11. Emirates Integrated Telecommunications Company
  12. Fibertel

Top 20 Countries with the Highest Number of C&C Servers versus Top 20 Wealthiest Countries

Some 611 or 73% of the malicious IP addresses belong to the top 20 countries. Each country has no less than 10 malicious IP addresses each.

  1. U.S.
  2. Argentina
  3. Germany
  4. Japan
  5. Brazil
  6. Mexico
  7. U.K.
  8. France
  9. Turkey
  10. Colombia
  11. Russia
  12. Indonesia
  13. Australia
  14. Italy
  15. Spain
  16. India
  17. Vietnam
  18. Singapore
  19. South Africa
  20. Chile

Of the top 20 countries with the highest number of C&C servers,15 pertained to the world’s top 20 economies based on gross domestic product (GDP). A potential reason for this is that developed countries typically have advanced infrastructure, especially server hosting offered by larger ISPs with many subscribers, at a cheaper cost.

In fact, about half of the malware attacks in 2018 targeted the U.S., which also tops our list of countries. In a more recent study, seven out of the top 10 countries with the highest number of banking malware victims are also among the top 20 countries with the highest C&C server concentration we found.

Associated Domains

Our bulk IP address location lookup also returned associated domains for most of the IP addresses. The image below shows some examples of these associated domains.

We examined three of the domains highlighted in the image above in one of our investigations (dnb[.]tkk[.]mybluehost[.]me, iaml[.]com, and server[.]dnb[.]tkk[.]mybluehost[.]me). At that time, our reverse IP lookup for 162[.]241[.]92[.]219 returned these three domains. At present, however, one more domain—hccydsm[.]sitelockcdn[.]net—was added to the list, highlighting the need for regular monitoring of malicious IP addresses and their domain associations.


Cybercriminal groups that have used Dridex, Emotet, Trickbot, and other malware forms have stolen millions of dollars from banks and individuals alike. As organizations need to prevent malware from infiltrating their networks, gathering context around C&C servers may help pinpoint attack origins. We illustrated how bulk IP address location lookups could help in this area among others—check this blog for other purposes of IP geolocation.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Domain Names

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

DNS

Sponsored byDNIB.com

Threat Intelligence

Sponsored byWhoisXML API

New TLDs

Sponsored byRadix

Cybersecurity

Sponsored byVerisign

Brand Protection

Sponsored byCSC